HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Also smooth here on win 7x64
     
  2. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,130
    Location:
    USA
    Easy upgrade -- and seems to be working fine here on XP.
     
  3. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    926
    Fails to install. Error 0.
     
  4. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    923
    Location:
    UK
    What is mitigator callercheck?

    It is shutting down my powershell applet.

    Mitigation CallerCheck

    Platform 6.3.9600/x64 v728 06_9e
    PID 5904
    Application C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Description Windows PowerShell 10

    Callee Type CreateProcess
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

    Stack Trace
    # Address Module Location
    -- ---------------- ------------------------ ----------------------------------------
    1 00007FF806420D36 KernelBase.dll CreateProcessW +0x66
    2 00007FF806587B83 kernel32.dll CreateProcessW +0x53

    3 00007FFF9B4BA874 (anonymous; clr.dll)
    488b5560 MOV RDX, [RBP+0x60]
    c6420c01 MOV BYTE [RDX+0xc], 0x1
    833d6d6ae35e00 CMP DWORD [RIP+0x5ee36a6d], 0x0
    7406 JZ 0x7fff9b4ba88b
    ff15cd73e35e CALL QWORD [RIP+0x5ee373cd]
    8bf0 MOV ESI, EAX
    e8deae4f5e CALL 0x7ffff99b5770
    85f6 TEST ESI, ESI
    0f95c1 SETNZ CL
    0fb6c9 MOVZX ECX, CL
    898d94000000 MOV [RBP+0x94], ECX
    488b8dd8000000 MOV RCX, [RBP+0xd8]
    4885c9 TEST RCX, RCX
    7423 JZ 0x7fff9b4ba8cf
    488b8dd8000000 MOV RCX, [RBP+0xd8]

    4 00007FFF9B4B83BA (anonymous; clr.dll)
    5 00007FFF9B4B8049 (anonymous; clr.dll)
    6 00007FFF9B4B749E (anonymous; clr.dll)
    7 00007FFF9B4B71EF (anonymous; clr.dll)
    8 00007FFF9B4B4AA5 (anonymous; clr.dll)
    9 00007FFF9B4B32E8 (anonymous; clr.dll)
    10 00007FFF9B4B2C1B (anonymous; clr.dll)

    Process Trace
    1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe [5904]
    2 C:\Windows\explorer.exe [3608]
    3 C:\Windows\System32\userinit.exe [3600]

    Thumbprint
    8570f161f01126ead629945f0fd1938392d486225c150d4b526f275a2c29e2fa
     
  5. newyorkjet

    newyorkjet Registered Member

    Joined:
    Jan 17, 2013
    Posts:
    63
    Location:
    UK
    Build 739 automatic upgrade worked as intended. Everything OK so far.
     
  6. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,881
    Location:
    Under a bushel ...
    No problem, Win 10 x64 v1709 16299.334.
     
  7. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    225
    Location:
    Planet Earth
  8. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    225
    Location:
    Planet Earth
    Hi Pim,
    Thanks for the details, we'll have a look and see if we can reproduce this.
     
  9. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    225
    Location:
    Planet Earth
    Can you reproduce this with the latest 738 ?
    CallerCheck validates if the correct API path is called, and if something tries to bypass alert.
     
  10. Valdez

    Valdez Registered Member

    Joined:
    Apr 21, 2016
    Posts:
    30
    Location:
    ITALIA
    Upgrade Build 738 to 739 all right.
    Thank you! :thumb::thumb::thumb:
     
  11. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    27,635
    After uninstallation of the current version (HMP.A 3.7.6 Build 739) a Bluescreen has appeared (BugCheck D4)
    Note: to be more exact: the Bluescreen happened after i logged out and the system was "about to reboot"
    Note #2: Before logging out i wanted to launch the startmenü and pressed a key but then i noticed that the keyboard wasn't functional anymore. This happened right after the uninstallation routine has been finished and the dialog "Do you want to reboot now?" appeared.
    Note #3: This did not happen with previous versions.
    Note #4: Maybe important: I have installed HMP.A but haven't rebooted after the installation. After some testing i have deinstalled it and then the BSOD appeared.

    Excerpt of the dump-file analysis: (a minidump is available, i'll prepare a PM or email soon)
    Code:
    SYSTEM_SCAN_AT_RAISED_IRQL_CAUGHT_IMPROPER_DRIVER_UNLOAD (d4)
    FAULTING_IP:
    hmpalert.sys+40b20
    fffff800`257d0b20 ??              ???
    FAILURE_BUCKET_ID:  0xD4_UNLOADED_MODULE_hmpalert.sys!unknown_function
    DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT
    
     
  12. L10090

    L10090 Registered Member

    Joined:
    Feb 13, 2015
    Posts:
    300
    Location:
    Netherlands
    W7-x64; Auto upgrade from build 738 to build 739 went fine.
    Up till now 'No issues what so ever'.
     
    Last edited: Mar 31, 2018
  13. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    926
    Yes, it shows up in there.

    Since the uninstaller you provided was mentioning 2.x I decided to perform a regular uninstall first. That was enough to be able to install HMP.A again.
     
  14. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,139
    Location:
    the Netherlands
    @erikloman,
    @markloman,
    @RonnyT,

    One time alert on closing IE11 on Windows 7 x64 (more system details, see signature)

    Code:
    Mitigation   DEP
    
    Platform     6.1.7601/x64 v739 06_17*
    PID          5072
    Application  C:\Program Files (x86)\Internet Explorer\iexplore.exe
    Description  Internet Explorer 11
    
    EIP     = 0x700CEDF0 : WOT.dll+0x12EDF0
    State   = 0x00001000
    Type    = 0x01000000
    Protect = 0x00000004
    
    700CEDF0 1050BD       ADC [EAX-0x43], DL
    700CEDF3 0E           PUSH CS
    700CEDF4 95           XCHG EBP, EAX
    700CEDF5 16           PUSH SS
    700CEDF6 0000         ADD [EAX], AL
    700CEDF8 2F           DAS 
    700CEDF9 1400         ADC AL, 0x0
    700CEDFB 0000         ADD [EAX], AL
    700CEDFD 00403F       ADD [EAX+0x3f], AL
    700CEE00 0000         ADD [EAX], AL
    700CEE02 803E00       CMP BYTE [ESI], 0x0
    700CEE05 0010         ADD [EAX], DL
    700CEE07 40           INC EAX
    700CEE08 692D00000B0500000100 IMUL EBP, [0x50b0000], 0x10000
    700CEE12 0000         ADD [EAX], AL
    700CEE14 0A00         OR AL, [EAX]
    
    Code Injection
    00020000-00021000    4KB C:\Program Files (x86)\G DATA\InternetSecurity\AVK\AVKWCtlx64.exe [1248]
    1  C:\Program Files (x86)\G DATA\InternetSecurity\AVK\AVKWCtlx64.exe [1248]
    2  C:\Windows\System32\services.exe [952]
    
    Process Trace
    1  C:\Program Files (x86)\Internet Explorer\iexplore.exe [5072]
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4000 CREDAT:267521 /prefetch:2
    2  C:\Program Files\Internet Explorer\iexplore.exe [4000]
    3  C:\Windows\explorer.exe [4348]
    4  C:\Windows\System32\userinit.exe [2340]
    5  C:\Windows\System32\winlogon.exe [5084]
    winlogon.exe
    6  C:\Windows\System32\smss.exe [4676]
    \SystemRoot\System32\smss.exe 00000000 00000044 
    
    Thumbprint
    5d7b518a6db824c50579776c3c40c26a26664a7d153ab6fed794f0ce1ff4c51b
     
  15. busy

    busy Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    109
    @erikloman
    @markloman

    HMP.A service crashes after opening GUI. (b739/Win7 x64)

    Code:
    Faulting application name: hmpalert.exe, version: 3.7.6.739, time stamp: 0x5abcf8b7
    Faulting module name: ntdll.dll, version: 6.1.7601.24060, time stamp: 0x5ab053c6
    Exception code: 0xc0000005
    Fault offset 0x00037719
    Faulting process id: 0x3edc
    Faulting application start time: 0x01d3c8711135b236
    Faulting application path: C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
    Faulting module path: C:\Windows\SysWOW64\ntdll.dll
     
  16. lofac

    lofac Registered Member

    Joined:
    Jan 18, 2018
    Posts:
    125
    Location:
    .
    Just got this on a Win10EnterpriseLTSB_1607_build14393
    Currently still on 3.7.6-build738, update is bending a system restart but i can't restart at this moment.
    Why would it detect this?
    Code:
    Mitigation   CredGuard
    
    
    Platform     10.0.14393/x64 v738 06_3a
    PID          10796
    Application  C:\Windows\System32\SrTasks.exe
    Description  Microsoft® Windows System Protection background tasks. 10
    
    SAM access denied.
    
    Range = LBA 2833344 :128
    Read  = LBA 2833344 :72
    
    Process Trace
    1  C:\Windows\System32\SrTasks.exe [10796]
    C:\Windows\system32\srtasks.exe ExecuteScheduledSPPCreation
    2  C:\Windows\System32\svchost.exe [476]
    C:\Windows\system32\svchost.exe -k netsvcs
    3  C:\Windows\System32\services.exe [796]
    4  C:\Windows\System32\wininit.exe [684]
    wininit.exe
    
     
  17. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    225
    Location:
    Planet Earth
    You have SAM protection enabled under the orange option "Credential Theft Protection" please disable that, we ship default off.
    And this features needs a little more attention.
     
  18. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    225
    Location:
    Planet Earth
    I guess WOT == Web of Trust is active in IE?
    They are trying to execute memory that is not marked as executable, so this is a legit alert. Not directly malicious though, probably coding mistake.
     
  19. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    225
    Location:
    Planet Earth
    Can you provide us a (mini)dump? probably related to the other anti-X software installed on your machine.
     
  20. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,139
    Location:
    the Netherlands
    Yes, it is.
    It was a one time alert. I never saw such alert before, not with previous HMPA builds and not with 739 over the past couple of days. Perhaps it was a one time event and I'll never see it again. If it happens again, I'll report again.
     
  21. Damnatus

    Damnatus Registered Member

    Joined:
    Dec 29, 2015
    Posts:
    16
    Can confirm that the issue with 1PW7 beta is gone.
     
  22. busy

    busy Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    109
    Of course, where should I send it?
     
  23. anonskii

    anonskii Registered Member

    Joined:
    Dec 16, 2016
    Posts:
    18
    Location:
    UK
    i can't seem to uninstall any programs, hitmanpro alert keeps on terminating the process (migration: lockdown) this started happening with the 739 build

    Code:
    Mitigation   Lockdown
    
    Platform     6.1.7601/x64 v739 1f_05
    PID          3376
    Application  C:\Program Files (x86)\KC Softwares\DUMo\unins000.exe
    Description  Setup/Uninstall
    
    Filename     C:\Users\adz\AppData\Local\Temp\_iu14D2N.tmp
    Created By   C:\Program Files (x86)\KC Softwares\DUMo\unins000.exe
     
    Last edited: Mar 31, 2018
  24. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,139
    Location:
    the Netherlands
    @ Anyone else,
    Has anyone else on Windows 7 x64 tried uninstalling any programs since HMPA build 739?
     
  25. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    179
    Location:
    Canada
    Seamless automatic upgrade, and no issues have cropped up.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.