HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. RonnyT

    RonnyT Registered Member

    Joined:
    Aug 9, 2016
    Posts:
    28
    Location:
    Planet Earth
    Hi m0unds,

    Can you download this sysinternals tool http://live.sysinternals.com/procdump.exe
    procdump -ma -i c:\some.folder.here\memory.dmps\

    then reproduce the issue, this should record a memory dump of the crashing process.
    Once you have that dump please send me a DM.

    If you want you can reset your Just in time debugger
    procdump -u
     
  2. RonnyT

    RonnyT Registered Member

    Joined:
    Aug 9, 2016
    Posts:
    28
    Location:
    Planet Earth
    Hi Rebecca_valentine,

    Can you please try the following:
    - switch GUI to advanced interface (Gear icon)
    -- click on the blue button EM and set to disabled.
    -- click on the orange button
    --- CryptoGuard - untick SMB and MBR
    --- Set cryptoguard to disabled

    Now on the Anti-Malware set to enabled and see if it stays enabled over time.
    If that doesn't work please reboot to see if that makes any difference.

    Don't forget to switch these settings back after testing.
     
    Last edited: Dec 8, 2017
  3. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,886
    Location:
    North Carolina, USA
    Hello @RonnyT,

    The Anti-Malware feature on HMP.A 3.7.1.723 had been working with no issues on my system until this morning. I use Process Hacker 3.0.xxxx (nightly builds) on my system and an update was available this morning. It would not update as HMP.A Anti-Malware was reporting it as a threat and blocking it. I had to temporarily disable the Anti-Malware feature in order to install the update. When I went to re-enable Anti-Malware, I ended up having the same issue as @Rebecca_valentine. I tried your workaround posted above (post # 14477) but it took several attempts over several reboots for it to finally stick. At first, I thought the workaround was not going to work but persistence finally got the setting to stick. However, after about twenty to thirty minutes, the Anti-Malware feature had again turned itself off. It seems that I can occasionally get it to work for a brief period of time but it always ends up turning itself off again. Where @Rebecca_valentine's issue seemed to be present from the start with a fresh install, my issue began when I had to disable the Anti-Malware feature temporarily and then I can not re-enable it.
     
  4. m0unds

    m0unds Registered Member

    Joined:
    Nov 12, 2015
    Posts:
    120
    Hey, sending a DM with a pair of *.dmp files here in a few.

    *EDIT* Sent. Let me know if you need any other memory dumps or additional diagnostic info from the system.
     
    Last edited: Dec 5, 2017
  5. RonnyT

    RonnyT Registered Member

    Joined:
    Aug 9, 2016
    Posts:
    28
    Location:
    Planet Earth
    Thanks m0unds,

    From the looks of it this should be enough.
     
  6. m0unds

    m0unds Registered Member

    Joined:
    Nov 12, 2015
    Posts:
    120
    great, thanks for letting me know
     
  7. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,464
    Location:
    Location Unknown
    Something odd is going to between Waterfox 56 HMPA, and Sandboxie. Everything worked fine in Waterfox 55, but ever since I upgraded to 56 I get the error message below whenever I launch the browser. Nothing else has changed, including the sandboxie configuration.

    Any ideas on what could be wrong?
     
  8. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,100
    Compare it with the Mitigation ROP in #14452 and both look very similar.
    Seems to be HMP.A + Sandboxie issue and they are working on it:
     
  9. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,464
    Location:
    Location Unknown
    Interesting. It has not affected waterfox 55, only 56. Thanks mood.
     
  10. JoWazzoo

    JoWazzoo Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    18
    Location:
    Ether
    HitmanPro.Alert (Trial) "Anti-Malware: Disabled"

    V 3.7.1 Build 723

    Enabled will not "stick" Double clicked, Right clicked. Single clicked. Somewhere is this tomb it was suggested to double click and that does nothing for me. Is this shut off in the Trial version?

    Searching for this turns up nothing here, there, everywhere. I have shut down and restarted the Service since there is no On/Off switch.

    Note that I had installed HMP before Alert. Both in Trials.

    Shouldn't have anything to do with it but I am also running Avast Internet Security and Comodo Firewall.

    TIA
     
  11. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    321
    HMP.A b723 crashed and burned (the icon disappeared from the Notification Area) this afternoon:

    Code:
    Fault bucket 3420534675, type 436414885
    Event Name: APPCRASH
    Response: Not available
    Cab Id: 0
    
    Problem signature:
    P1: hmpalert.exe
    P2: 3.7.1.723
    P3: 5a0c5489
    P4: hmpalert.exe
    P5: 3.7.1.723
    P6: 5a0c5489
    P7: 40000015
    P8: 00232b92
    P9:
    P10:
    
    Attached files:
    C:\Users\xxxxxxx\AppData\Local\Temp\WER175D.tmp.WERInternalMetadata.xml
    
    These files may be available here:
    C:\Users\xxxxxxx\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_hmpalert.exe_3ad81afbb3779ba8881966ec743affe3b77aa62_2ceb38d1
    
    Analysis symbol:
    Rechecking for solution: 0
    Report Id: 2d8c40a4-db91-11e7-afdf-4c72b91da94f
    Report Status: 0
    Don't know if this is related, but Event Viewer shows the following happening about one hour before:

    Code:
    Faulting application name: hmpalert.exe, version: 3.7.1.723, time stamp: 0x5a0c5489
    Faulting module name: hmpalert.exe, version: 3.7.1.723, time stamp: 0x5a0c5489
    Exception code: 0x40000015
    Fault offset: 0x00232b92
    Faulting process id: 0x668
    Faulting application start time: 0x01d36f73ae0d1cc3
    Faulting application path: C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
    Faulting module path: C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
    Report Id: 2d8c40a4-db91-11e7-afdf-4c72b91da94f
    Further symptoms: Task Manager lists only the hmpalert.exe *32 "SYSTEM" process as active, and is no longer listing the user process. There are no flyouts when opening an application, or any indication that what I'm typing here is getting encrypted.
     
  12. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,100
    To have the tray icon back you can try to restart the service of HMP.A.
    While restarting of the service, the first instance of hmpalert.exe (SYSTEM process) is launching the second instance (User Process, tray-icon), and the indications and flyouts should be back.
    If you can find a dump file related to the crash you can send it to the developers, so they can perhaps find out why it has crashed.
     
  13. zagtastic

    zagtastic Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    15
    Location:
    san diego
  14. JoWazzoo

    JoWazzoo Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    18
    Location:
    Ether
    Yeah - the Tray icon keeps disappearing on me too. Only way I can get it back is to kill the process and restart it in Task Manager. That sucks. Proggy though is still running behind the scenes just no way to access it.

    And still have not figured out how to access Ant-Malware. Wish they had forums so this could be organized.
     
  15. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    321
    Thanks. Two questions:

    1.Where should I look for the dump file?

    2. How to restart the service? There's only one HMP.A service listed in Services, and that one's already running. And, trying to stop that service in the hope that restarting it would also restart the user service, failed to stop the system service. Now it's listed simply as "Stopping" without actually concluding, and there's no longer a clickable option to stop or restart it.
     
    Last edited: Dec 8, 2017
  16. Rebecca_valentine

    Rebecca_valentine Registered Member

    Joined:
    Dec 2, 2017
    Posts:
    5
    Location:
    India
    Thanks a ton for this. I did as you said, & now it works perfectly. The anti malware option stays enabled & seems to be fine.
    Again, thanks a lot :)
     
  17. RonnyT

    RonnyT Registered Member

    Joined:
    Aug 9, 2016
    Posts:
    28
    Location:
    Planet Earth
    Hi Rebecca,

    Thanks for confirming, please make sure you have switched all these other settings back to on!
     
  18. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    524
    Location:
    USA
    Interesting question! The attack details make it sound similar to process hollowing, but with a twist to hide it from security tools.

     
  19. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,100
    Dump files for crashes of User Processes can be found there:
    C:\Users\<user>\AppData\Local\CrashDumps\
    for System Processes:
    C:\Windows\system32\config\systemprofile\AppData\Local\CrashDumps\

    Or you can use Everything and you'll find all dmp-files ("*.dmp") with ease.

    If it cannot be found:
    a) for some reasons a dump file was not created
    b) CCleaner or a similar application has already deleted it
    c) the Windows Error Reporting (WER) was configured to not collect dump-files.
    etc, ...

    The last time i had to restart the service, i have rightclicked the entry in services and selected "Restart".
    Normally the currently running instance is terminated and two instances of hmpalert.exe are created.
    If it is stuck like in your case i would reboot.

    If the tray-icon is missing the next time, remember what you have done (if possible) before it has crashed. This information can also help to find or narrow down the source of the problem. For example:
    The developers must be able to reproduce it on their systems (or they must have at least a starting point) else it can't be fixed.
     
  20. Rebecca_valentine

    Rebecca_valentine Registered Member

    Joined:
    Dec 2, 2017
    Posts:
    5
    Location:
    India
    Thank you so much RonnyT . The solution works perfectly for me.
    & Yes, I have switched the other settings back to enabled :)
     
  21. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    321
    Thanks for all the info, @mood. :thumb:

    The next morning, the HMP.A icon was back in the Notification Area, although the Processes tab in the Task Manager showed only the user process running (and not the system process any longer). I ended up restarting the computer. Everything is working normally for now.

    If this happens again, I'll take note of what I was doing at the time and then send the dump file to Erik/Mark.
     
  22. pilipali

    pilipali Registered Member

    Joined:
    Nov 24, 2017
    Posts:
    5
    Location:
    Finland
    What does this mean? Scan found nothing.
     

    Attached Files:

  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,313
    Assuming you are using build 723, it means you turned on the SAM protection under CreditGuard. Turn it off!!
     
  24. feerf56

    feerf56 Registered Member

    Joined:
    Feb 24, 2015
    Posts:
    62
    This option was not activated at installation. Is this option turned on with you? Should I turn it on? v.3.7.1 build 723

    Snap1.png
     
  25. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,100
    For a reason it is disabled by default:
     
Loading...
Similar Threads
  1. Umbra
    Replies:
    22
    Views:
    1,890