HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Damnatus

    Damnatus Registered Member

    Joined:
    Dec 29, 2015
    Posts:
    16
    Correction @RonnyT : It's partially solved. Currently 1PW7 doesn't start with the PC automatically, so when you click on the 1Password Browser Extension, it wants to start the program. Apparently, this triggers HMPA b739

    Code:
    Mitigation   CallerCheck
    
    Platform     10.0.16299/x64 v739 06_3a
    PID          4604
    Application  C:\Users\XXX\AppData\Local\1password\app\7\1Password.exe
    Description  1Password for Windows desktop 7
    
    Callee Type  CreateProcess
                 C:\Users\XXX\AppData\Local\1password\app\7\1Password.exe
                 0x76FF59A0 (6 bytes)
    
    Stack Trace
    #  Address  Module                   Location
    -- -------- ------------------------ ----------------------------------------
    1  777893EC KernelBase.dll           CreateProcessA +0x2c
    
    2  04F68F5E (anonymous; allocated by 0FEEE6B2, clr.dll)
                8b8decfeffff             MOV          ECX, [EBP-0x114]
                c6410801                 MOV          BYTE [ECX+0x8], 0x1
                833d4000541000           CMP          DWORD [0x10540040], 0x0
                7407                     JZ           0x4f68f78
                50                       PUSH         EAX
                e8298c070b               CALL         0xffe1ba0
                58                       POP          EAX
                c785d0feffff00000000     MOV          DWORD [EBP-0x130], 0x0
                898508ffffff             MOV          [EBP-0xf8], EAX
                83bd08ffffff00           CMP          DWORD [EBP-0xf8], 0x0
                0f95c0                   SETNZ        AL
                0fb6c0                   MOVZX        EAX, AL
                89850cffffff             MOV          [EBP-0xf4], EAX
                90                       NOP         
    
    3  04F68A94 (anonymous; allocated by 0FEEE6B2, clr.dll)
    4  04F6822B (anonymous; allocated by 0FEEE6B2, clr.dll)
    5  04F673F1 (anonymous; allocated by 0FEEE6B2, clr.dll)
    6  1298C499 mscorlib.ni.dll         
    7  129FBDA5 mscorlib.ni.dll         
    8  129FBCB6 mscorlib.ni.dll         
    9  1298C3FB mscorlib.ni.dll         
    10 1298C39B mscorlib.ni.dll         
    
    Process Trace
    1  C:\Users\XXX\AppData\Local\1Password\app\7\1Password.exe [4604]
    C:\Users\XXX\AppData\Local\1password\app\7\1Password.exe C:\Users\XXX\AppData\Local\1password\app\7\FirefoxManifest.json onepassword4@agilebits.com
    2  C:\Program Files\Mozilla Firefox\firefox.exe [3136]
    3  C:\Windows\explorer.exe [10096]
    4  C:\Windows\System32\userinit.exe [7832]
    5  C:\Windows\System32\winlogon.exe [4532]
    C:\WINDOWS\System32\WinLogon.exe -SpecialSession
    6  C:\Windows\System32\smss.exe [8800]
    \SystemRoot\System32\smss.exe 000000e4 00000084 C:\WINDOWS\System32\WinLogon.exe -SpecialSession
    
    Thumbprint
    1eeb6a709cd9017c1bc0b9ddbcc2d4868d8e851f93c10b033218ba1cfcfba032
     
  2. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    927
    Location:
    UK
    Cannot reproduce at all now.

    All I did was hit the disable mitigations button in the app config window, it unticked and greyed out all boxes.
    Then I hit enable again, planning to do some testing but was then surprised it was still ok.

    So simply disabled and reenabling again, it now seems ok. Is odd.

    I was only running some module commands in powershell to install PSGET module, and that made HMPA shut powershell down originally, but now HMPA seems ok with the install PSGET command.
     
  3. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    268
    Location:
    Planet Earth
    Are you using Add/Remove software to uninstall?
    Because there is no reason for lockdown to kick in other then that you are running something protected and trying to do the uninstall via the mitigated program normally.
     
  4. anonskii

    anonskii Registered Member

    Joined:
    Dec 16, 2016
    Posts:
    18
    Location:
    UK
    using comodo program manager and revo uninstaller, both of em don't let me uninstall any sort of program.
     
  5. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,191
    Location:
    the Netherlands
    @anonskii,
    Have you tried uninstalling any program using Windows' common uninstall option?
    Control Panel\ Programs \Programs and Features\ Uninstall or change a program.
    Does that work?
    I hope RonnyT can find out why Comodo Programs Manager and Revo Uninstaller don't work.

    @ Anyone else,
    Does anyone else on Windows 7 x64 have any issues uninstalling programs when using Comodo Programs Manager or Revo Uninstaller, since HMPA 3.6.7 build 739?
     
    Last edited: Apr 5, 2018
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I use Revo, but honestly it's been a while since I've uninstalled HMPA.
     
  7. anonskii

    anonskii Registered Member

    Joined:
    Dec 16, 2016
    Posts:
    18
    Location:
    UK
    it works fine with the default windows uninstall option but not with third party uninstall programs as it triggers the lockdown migration
     
  8. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    942
    Location:
    Baden Germany
    So HMPA works perfectly fine. It does what it should, stop third party apps from tampering the system.
     
  9. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,414
    Location:
    Outer space
    Have you added the third party uninstallers as a protected application in HMP.A?
     
  10. anonskii

    anonskii Registered Member

    Joined:
    Dec 16, 2016
    Posts:
    18
    Location:
    UK
    most of the programs are protected automatically by HMP.A, i don't touch any of the settings
     
  11. heikwith

    heikwith Registered Member

    Joined:
    Jul 29, 2002
    Posts:
    91
    I think this is a bug
    Newest AcronisTruei2018v22.5.1.11530
    2HitmanPro Alert event Acronis 2018 service 22.5.1.jpg
     
  12. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,191
    Location:
    the Netherlands
    November 15, 2017, in the HitmanPro.Alert BETA thread, Mark wrote:
    March 31, 2018, in this thread, Ronny wrote:
    As Ronny said, best disable SAM, it needs more attention, even for Acronis True Image, I suppose.
     
  13. heikwith

    heikwith Registered Member

    Joined:
    Jul 29, 2002
    Posts:
    91
    W10n HmpA screen.jpg
    Can somebody exactly tell me how to disable SAM under the orange option "Credential Theft Protection"
    I am Dutch you see.
     
  14. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,166
    Location:
    Under a bushel ...
    You should see the tick/untick option at the bottom of the 'Credential Theft Protection' panel.
     
  15. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,191
    Location:
    the Netherlands
    Thanks, paulderdash.
    @heikwith, in Dutch, for Dutch user interface:
    Klik de oranje "Risicoverkleining" tegel,
    klik vervolgens "Bescherming van aanmeldgegevens",
    haal onderaan het vinkje weg voor "Beveiligingsaccountbeheer (SAM)"
    en klik vervolgens ergens in het lege zwarte gedeelte van de gebruikersinterface.
    Dat is het.
     
  16. heikwith

    heikwith Registered Member

    Joined:
    Jul 29, 2002
    Posts:
    91
    Thanks for the translation, I found SAM tick/untick option, but I no longer need it.
    Why, I do not understand, but the alert is gone.
    When it happens again, I know how to disable SAM.
     
  17. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    457
    HMP.A build 739 on Windows 7 HP x64 crashed twice this afternoon:
    Code:
     Problem Event Name:    APPCRASH
      Application Name:    hmpalert.exe
      Application Version:    3.7.6.739
      Application Timestamp:    5abcf8b7
      Fault Module Name:    hmpalert.exe
      Fault Module Version:    3.7.6.739
      Fault Module Timestamp:    5abcf8b7
      Exception Code:    40000015
      Exception Offset:    00208fa6
      OS Version:    6.1.7601.2.1.0.768.3
      Locale ID:    1033
      Additional Information 1:    1ef7
      Additional Information 2:    1ef784b371cca7cac9004a82a554dc62
      Additional Information 3:    bf2b
      Additional Information 4:    bf2bc1a82b87ff418af016307503b84d
    
    
    and:
    Code:
     Problem Event Name:    APPCRASH
      Application Name:    hmpalert.exe
      Application Version:    3.7.6.739
      Application Timestamp:    5abcf8b7
      Fault Module Name:    KERNELBASE.dll
      Fault Module Version:    6.1.7601.24059
      Fault Module Timestamp:    5aa1f588
      Exception Code:    e06d7363
      Exception Offset:    0000c54f
      OS Version:    6.1.7601.2.1.0.768.3
      Locale ID:    1033
      Additional Information 1:    2dce
      Additional Information 2:    2dce12b456ff7fb8e74618adf89ad7dd
      Additional Information 3:    c7a1
      Additional Information 4:    c7a151e742115d76ccebf4a1a8a90339
    
    Afterward, the HMP.A icon in the Notification Area went away.
     
  18. heikwith

    heikwith Registered Member

    Joined:
    Jul 29, 2002
    Posts:
    91
    It happens again, with SAM still enabled, but I see something strange:
    Acronis scheduled backup (every 2 hours), which causes the alert, went on normal.
    This happened also yesterday I see now.
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    heikwith

    Hitman pro defaults off. If you persist in enabling it you are going going to continue to have problem.
     
  20. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    268
    Location:
    Planet Earth
    I can only reproduce this when I manually put Comodo Programs Manager on the Exploit Mitigations, if you chose to do so you have to disable the "Application lockdown" because that is exactly doing what it was designed for.
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    No problem with Revo uninstaller here, but no Comodo on board
     
  22. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    268
    Location:
    Planet Earth
    Revo does the same if you put it on Exploit Migitation "Other" and you try to uninstall an unsigned application.

    Mitigation Lockdown

    Platform 6.1.7600/x64 v739 06_9e*
    PID 336
    Application C:\Users\root\AppData\Local\Temp\_iu14D2N.tmp
    Description Setup/Uninstall

    Filename C:\Users\root\AppData\Local\Temp\_iu14D2N.tmp
    Created By C:\Program Files (x86)\KC Softwares\DUMo\unins000.exe


    Process Trace
    1 C:\Users\root\AppData\Local\Temp\_iu14D2N.tmp [336]
    "C:\Users\root\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Program Files (x86)\KC Softwares\DUMo\unins000.exe" /FIRSTPHASEWND=$304F0
    2 C:\Program Files (x86)\KC Softwares\DUMo\unins000.exe [468]
    3 C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe [2144]
    4 C:\Windows\explorer.exe [2712]
    5 C:\Windows\System32\userinit.exe [2672]
     
  23. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,191
    Location:
    the Netherlands
    anonskii wrote "most of the programs are protected automatically by HMP.A, i don't touch any of the settings".
    That made me think Comodo Programs Manager and Revo Uninstaller were not manually added to protected applications. But now RonnyT's replies make me think differently.
     
  24. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    268
    Location:
    Planet Earth
    That doesn't reproduce here. None of those are automatically added to protections on my setup.
    And application lockdown only happens if the parent process is mitigated, maybe he uses an application launcher that is protected, in that case the child process comodo/revo will inherit the protections and cause similar behavior.
     
  25. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,191
    Location:
    the Netherlands
    Yes, that is as I assumed.
    Ah, interesting.
    I hope that anonskii can shed some light on the question whether Comodo Programs Manager and Revo Uninstaller were manually added to protected applications, or whether a protected application launcher is used so that Comodo Programs Manager and Revo Uninstaller inherit the protections and the reported behavior is shown.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.