HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    220
    Location:
    Planet Earth
    Can you please DM of post your other security software installed e.g. EMET or MBAM etc? something is hooking almost everything on those browsers.
     
  2. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,139
    Location:
    the Netherlands
    The Reply button is the quote button.
     
  3. MikeRepairs

    MikeRepairs Registered Member

    Joined:
    Mar 26, 2014
    Posts:
    76
    Location:
    Long Beach, WA
    Intruder errors opening Chrome with HMPA license expired. 10 computers and counting. All have MBAM premium.
     
  4. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,139
    Location:
    the Netherlands
    @erikloman,
    @markloman,
    @RonnyT,
    There seems to be an issue with HMPA and Malwarebytes.
    Several more reports (N.B. in Dutch) of HMPA-Malwarebytes issues in the comments at GratisSoftware.nl.
     
  5. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    220
    Location:
    Planet Earth
    For those running HMPA with an expired license / free mode in combination with MalwareBytes we have identified an issue and the workaround for the moment is to switch Safe Browsing off.
    We're working on a fix and will release that once it's ready.
     
  6. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,139
    Location:
    the Netherlands
    @RonnyT,
    Thanks for the swift response!
    I forwarded your reply to GratisSoftware.nl admin/owner.
     
  7. pimjoosten

    pimjoosten Registered Member

    Joined:
    Mar 28, 2014
    Posts:
    36
    Location:
    Amsterdam, The Netherlands
    After updating HMPA to v3.7.6.738 HMPA prevents HMP from starting properly. No GUI comes up when starting HMP v3.8.0.292. In Task Scheduler I can see the process HitmanPro.exe appearing, but it disappears within a second. Also, the fast scans I have scheduled to be performed after logging in do not run (no system tray icon and balloon are shown). I have been able to confirm this by restoring an image from just before the HMPA update. At that moment HMP works correctly, but after the update and restarting the computer the issue starts. Also, after uninstalling HMPA v3.7.6.738 HMP works correctly again. There were no issues with HMPA v3.7.3.729. For now I have reverted to that version and set the auto update key in the registry to 0.
    I am on Win7 x64 with Norton Security v22.12.1.15, with no other security software installed.
     
  8. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,139
    Location:
    the Netherlands
    Is that when starting HMP directly via its own shortcut, or when starting HMP via the HMPA interface (Anti-Malware, Scan computer), or both options?
    I tested both options, and had no issue starting HMP. (Windows 7 x64, more details see signature.)
     
  9. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,880
    Location:
    Under a bushel ...
    Win 10 x64 v1709 16299.334
    Code:
    On Fri 2018/03/23 6:31:24 PM GMT your computer crashed or a problem was reported
    crash dump file: C:\WINDOWS\MEMORY.DMP
    This was probably caused by the following module: hmpnet.sys (hmpnet+0x1CAE)
    Bugcheck code: 0xD1 (0x8, 0x2, 0x0, 0xFFFFF8080C557144)
    Error: DRIVER_IRQL_NOT_LESS_OR_EQUAL
    file path: C:\WINDOWS\system32\drivers\hmpnet.sys
    product: HitmanPro.Alert
    company: SurfRight B.V.
    description: HitmanPro.Alert WFP Driver
    Bug check description: This indicates that a kernel-mode driver attempted to access pageable memory at a process IRQL that was too high.
    This bug check belongs to the crash dump test that you have performed with WhoCrashed or other software. It means that a crash dump file was properly written out.
    A third party driver was identified as the probable root cause of this system error. It is suggested you look for an update for the following driver: hmpnet.sys (HitmanPro.Alert WFP Driver, SurfRight B.V.).
    Google query: hmpnet.sys SurfRight B.V. DRIVER_IRQL_NOT_LESS_OR_EQUAL
    
    Dump has subsequently been overwritten ... :isay:
     
  10. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,139
    Location:
    the Netherlands
    @erikloman,
    @markloman,
    @RonnyT,

    Earlier, before HMPA 3.7.6.738 and also before 3.7.3.729, I needed to disable HMPA CryptoGuard if I wanted to use Eraser 6.0.10.2620 (an old version) to overwrite a few files with one pass of zeroes (British HMG IS5).
    Since HMPA version 3.7.3.729 (or perhaps even since 3.7.1.723?), I notice that I don't need to disable HMPA CryptoGuard if I want to use Eraser to overwrite a few files with one pass of zeroes.
    Is that an intentional change in HMPA? Is the use of Eraser (one pass of zeroes using Eraser) allowed by HMPA, since a while?
     
  11. Damnatus

    Damnatus Registered Member

    Joined:
    Dec 29, 2015
    Posts:
    16
    Hi @erikloman, @markloman, @RonnyT,

    I have a false positive with the newly introduced Beta of 1Password 7 for Windows.
    It seems that the auto-start routine triggers HMPA b738 attack mitigation.
    A fast fix would be appreciated as testing 1PW 7 is under that circumstances clunky. (De-Install before shutting down and after boot install again).

    An exception to exploit protection hasn't brought changes.

    Code:
    Mitigation CallerCheck
    
    Platform 10.0.16299/x64 v738 06_3a
    PID 4684
    Application C:\Users\XXX\AppData\Local\1password\app\7\1Password.exe
    Description 1Password for Windows desktop 7
    
    Callee Type CreateProcess
    C:\Users\XXX\AppData\Local\1password\app\7\1Password.exe
    
    Stack Trace
    Address Module Location
    
    1 76F593EC KernelBase.dll CreateProcessA +0x2c
    
    2 06048F5E (anonymous; clr.dll)
    8b8decfeffff MOV ECX, [EBP-0x114]
    c6410801 MOV BYTE [ECX+0x8], 0x1
    833d4000e70f00 CMP DWORD [0xfe70040], 0x0
    7407 JZ 0x6048f78
    50 PUSH EAX
    e8298c8c09 CALL 0xf911ba0
    58 POP EAX
    c785d0feffff00000000 MOV DWORD [EBP-0x130], 0x0
    898508ffffff MOV [EBP-0xf8], EAX
    83bd08ffffff00 CMP DWORD [EBP-0xf8], 0x0
    0f95c0 SETNZ AL
    0fb6c0 MOVZX EAX, AL
    89850cffffff MOV [EBP-0xf4], EAX
    90 NOP
    
    3 06048A94 (anonymous; clr.dll)
    4 0604822B (anonymous; clr.dll)
    5 060473F1 (anonymous; clr.dll)
    6 122BC499 mscorlib.ni.dll
    7 1232BDA5 mscorlib.ni.dll
    8 1232BCB6 mscorlib.ni.dll
    9 122BC3FB mscorlib.ni.dll
    10 122BC4EB mscorlib.ni.dll
    
    Process Trace
    1 C:\Users\XXX\AppData\Local\1Password\app\7\1Password.exe [4684]
    C:\Users\XXX\AppData\Local\1password\app\7\1Password.exe C:\Users\XXX\AppData\Local\1password\app\7\FirefoxManifest.json onepassword4@agilebits.com
    2 C:\Program Files\Mozilla Firefox\firefox.exe [10688]
    3 C:\Windows\explorer.exe [11152]
    4 C:\Windows\System32\userinit.exe [7080]
    5 C:\Windows\System32\winlogon.exe [2432]
    C:\WINDOWS\System32\WinLogon.exe -SpecialSession
    6 C:\Windows\System32\smss.exe [9856]
    \SystemRoot\System32\smss.exe 00000144 00000080 C:\WINDOWS\System32\WinLogon.exe -SpecialSession
    
    Thumbprint
    163bf443cf26e6638c969b9496d4a6146cf201e3213cc2ec635ea43f97c70658
     
  12. pimjoosten

    pimjoosten Registered Member

    Joined:
    Mar 28, 2014
    Posts:
    36
    Location:
    Amsterdam, The Netherlands
    Thank you for your fast response and checking HMP on your computer, Stupendous Man. I start HMP via its own shortcut. But the scheduled short scan that should start every time I log on in Windows also does not run.
     
  13. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,139
    Location:
    the Netherlands
    Hi Pim,
    Thanks for that additional info.

    Have you tried starting HMP via the HMPA interface (Anti-Malware, Scan computer)?
    I suppose that doesn't work either, on your system, but have you tested?

    I hope the HMPA team (@erikloman, @markloman, @RonnyT) can reproduce your issue somehow and find a solution to it.
     
  14. pimjoosten

    pimjoosten Registered Member

    Joined:
    Mar 28, 2014
    Posts:
    36
    Location:
    Amsterdam, The Netherlands
    I just tested that (I had forgotten about that option) and to my surprise a scan started via HMPA does work. So, it was a good suggestion from you Stupendous Man! I also noticed that the scheduled scan does start, contrary to what I wrote in my earlier post. I apparently missed that in my earlier tests, likely because a scheduled scan only runs if a scan has not been performed very recently (about 1 hour or so).

    So the issue apparently is that HMP's GUI does not open when started either via a Start Menu shortcut, or, if HMP is not installed, when it is started directly from the downloaded exe file.
     
  15. Buckholms

    Buckholms Registered Member

    Joined:
    Mar 26, 2018
    Posts:
    1
    Location:
    The United States
    I'm new to this site and forums, and I use version HMPA (Expired) 3.7.6 Build 738 as well as Malware-bytes premium on Windows 7.

    When I opened Chrome, the "Intruder detected" came as an initial shock, and I am... how should I say? OCD when it comes to keeping my PC squeaky clean and started to do research on the problem. After some trial and error, I have found the problem, and may have a solution.

    RonnyT mentions to disable Safe Browsing off, and yes this works, however, I have began to notice that if you right click on the Malware-bytes and disable Malwarebytes exploit protection while still having Safe Browsing on in HMPA, the problem goes away completely. I believe the issue lies somewhere in HMPA and Malware bytes exploit protection conflicting with each other.
     
  16. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,130
    Location:
    USA
    In HMPA there are two 'vaccination' options. Anyone know the difference between the Active and Passive modes?
     
  17. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    1,900
    Location:
    Hollow Earth - Telos
    It looks like active is recommended, but the default is passive option.
     
  18. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,139
    Location:
    the Netherlands
    July 11, 2014, Mark Loman explained,
    January 27, 2016, Erik Loman informed,
    September 24, 2016,
     
  19. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    552
    Location:
    Hengelo
    HitmanPro.Alert 3.7.6 Build 739 Released

    Changelog | Compared to build 738
    • Improved activation, solves issue occurring during an error
    • Improved Webcam Notifier so it records additional details in the Windows Event Log
    • Improved Asynchronous Procedure Call (APC) mitigation
    • Improved Intruder alert; added platform details, limited hooked APIs and partial hex dump of trampolines
    • Fixed issue with Symantec's NtProtectVirtualMemory hook, which caused our shellocde and Symantec's shellcode to call each other in an infinite loop
    • Fixed CryptoGuard unblock blocked process
    • Fixed Intruder false positive when Malwarebytes and other products are detouring critical functions in the web browser; introduced since build 738
    • Fixed not showing of Intruder true positive when alert info was too big (pipe communication can now handle very large messages)
    • Fixed false positives with Credential Theft Protection (LSASS)
    Download
    https://dl.surfright.nl/hmpalert3.exe

    The automatic updater has been set to update all our users. You should receive it within the day, automatically.
    Let us know how this build runs on your machine(s). Thanks! :thumb:
     
  20. Libraman

    Libraman Registered Member

    Joined:
    Apr 26, 2016
    Posts:
    71
    Perfect. No problems with news release Firefox 59.0.x.
     
  21. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    7,655
    Location:
    Among the gum trees
    Two machines prompted for a restart and I manually updated my third machine. No problems here. :thumb:
     
  22. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,139
    Location:
    the Netherlands
    All well on my Windows 7 x64. :thumb:
     
  23. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,130
    Location:
    USA
  24. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,007
    Location:
    USA
    Smooth upgrade from build 738 to build 739; no issues to report :thumb:
     
  25. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    773
    Location:
    USA
    Smooth here so far. No issues to report.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.