HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. SHvFl

    SHvFl Registered Member

    Joined:
    May 7, 2015
    Posts:
    877
    Issue of a user on the forum with hmpa 3.7.9 build 771. He tried posting here but he had issues with moderation I believe. I pasted his text from the other forum in the spoiler.

    I'm not sure what the best way to make the HMPA devs (SurfRight) aware of this, so I'll just post it here and hope one of them sees it or someone who knows how to contact them makes them aware of it. I checked their site for contact info and didn't see any, so between these issues and the fact they don't have any apparent support, I guess I'll pass on this software, which I was actually seriously considering before. Also, this clearly isn't a Q&A, but it wouldn't let me post without selecting a prefix and oddly there isn't one for reporting issues.

    I've just spent quite a while testing HMPA 3.7.9 build 771, resetting the VM numerous times to try and narrow down exactly what's going on and make sure the problems are consistent (and actually many more times than I otherwise would have had to because I did numerous tests with build 759, assuming that was the latest one since it updated to it, only to find that after doing that update it did another update to 771, instead of just going straight to that version). And I've determined there are a couple issues with it which appear to be bugs, though the first could simply be by design, though, if that's the case, it's a poor design IMO.

    The first issue is that if malware is run while internet access is down, once it's back, even after HMP does a scan and flags the malware, it will still allow it to run unchecked from that point on. Maybe it whitelists the malware due to it having already run, but that doesn't make sense both due to it flagging it on the scan and due to the fact it happens even if the malware isn't installed, simply that it's run. For example, I downloaded the known infected version of CCleaner (5.33.6162) from https:// downzen dot com/en/windows/ccleaner/download/5336162/, installed HMPA, disabled the internet (this was done in VirtualBox, so I simply disabled the network access to the VM in its settings), ran the installer (required running through an elevated cmd prompt since Windows wouldn't allow it normally even with WD completely disabled), then closed it as soon as it opened. At that point, I reenabled the internet access and relaunched it, and HMPA didn't do anything to stop it. I also tried running a scan with HMP first after turning the network access back on, to make sure it flagged the installer and knew it was malware, and then ran it, and still, HMPA let it go unchallenged. If it is whitelisting it, that seems to be a poor decision, and I don't think it should be doing that. It should still pop-up a warning and offer the option to manually add an exception at least. However, it really seems more like a bug to me.

    I also tried running a scan first, so it would be flagged by HMP, then disabling the network connection and launching the malware, and it again ran without intervention. Despite everything else, I had hoped that HMPA would at least block it at that point, having determined it a threat and hopefully remembering that, but apparently not. So not only is it useless when there's no internet access which, while not ideal, is to be expected since it's a cloud scanner (though I thought it was a BB, which clearly it isn't if it's reliant on the cloud), it seems it's also useless even *with* a connection once malware has been run, and also without a connection even after it's already identified the malware, which is truly disappointing. Hopefully these issues can and will be fixed.

    The other issue I've noticed, which seems minor but is still worth mentioning, is that it often takes a while to reflect the status of the internet connection. For example, after disabling the connection, it still shows the protection as being active, even though it clearly is not. I see this as being the bigger problem, since it can lead to a false sense of security in the case of a loss of internet access. Interestingly, even though it says "Anti-Malware" on the button (advanced interface), indicating it's active, clicking it usually, but not always, shows that cloud protection is offline. Disabling then reenabling it causes the button to accurately indicate "Anti-Malware Offline" (again, usually but not always). The inverse is also true: when a connection is established, it sometimes continues to show that the protection is offline until disabling and reenabling it, at which point it changes to say "Anti-Malware" and the "Cloud Protection Offline" warning goes away (actually, that warning goes away sometimes, if not always, on its own, so it seems the issue when regaining connection is solely with the main button text). This, at least, doesn't seem to present an actual issue, since as far as I can tell protection is active despite it indicating otherwise, so this aspect of the bug appears to merely be a confusing factor, but not a risk. Still, it warrants further investigation, just in case protection might not always be active at that point. Regardless, there's clearly an issue with it maintaining awareness of the state of the connection and modifying its display of the status accordingly.

    Another thing I've noticed which, while not an issue necessarily, is rather curious, is that once the scan gets to 99% it sits there for a bit then drops back down to ~90% and then continues to climb again, once again pausing for a bit on 99% before finishing. It does this regularly.

    Finally, another thing I don't like is that once the scan results window is closed, there doesn't appear to be a way to get it back without rerunning the scan. There should be a button to access scan results, and preferably a history within those results to view previous scans as well.
     
    Last edited: Dec 15, 2018
  2. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    1,986
    Location:
    the Netherlands
    Thanks for posting, SHvFl.
    I hope that RonnyT, Erik, or Mark will notice.
    Regarding what that person wrote, "I checked their site for contact info and didn't see any," yes, it is rather inconvenient the support address isn't visible on the HMPA support page. It is in 5 out of 11 of the FAQ answers, but that is hardly helpful if the FAQ questions don't match what someone has to ask or to report.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,144
    Location:
    The Netherlands
    Can you give some more info about this, how did it try to bypass behavior monitoring?
     
  4. brihy1

    brihy1 Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    198
    Location:
    usa
    When purchasing hmpa does hmp come with it or does it have to be purchased seperately?
     
  5. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    6,218
    Location:
    Among the gum trees
    HMP.A includes HMP.
     
  6. brihy1

    brihy1 Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    198
    Location:
    usa
    Thats good to hear,thanks Krusty
     
  7. Barry77

    Barry77 Registered Member

    Joined:
    Dec 22, 2018
    Posts:
    2
    Location:
    Netherlands
    Oh ... I was not aware of that. I have each purchased a license for HitmanPro and HitmanPro.Alert over 3 years at Black-Friday special and have activated both licenses. Had I known that, I would have bought two HitmanPro.Alert licenses. Is it possible to upgrade a HitmanPro license? @RonnyT, @markloman, @erikloman
     
  8. RonnyT

    RonnyT Registered Member

    Joined:
    Aug 9, 2016
    Posts:
    136
    Location:
    Planet Earth
    Please send your reference id's and question to support@hitmanpro.com so we can handle it from there.
     
  9. Barry77

    Barry77 Registered Member

    Joined:
    Dec 22, 2018
    Posts:
    2
    Location:
    Netherlands
    Thank you for the great support! :)
     
  10. conceptualclarity

    conceptualclarity Registered Member

    Joined:
    Jun 11, 2013
    Posts:
    58
    Location:
    USA
    Does HitmanPro.Alert conflict with Kaspersky? it's been asserted that "they silently conflict and break functionality." Furthermore that "HMPA should not be run alongside AVs and Internet Suites that have BB and similar modules."

    If there is/are such conflict(s) can it/they be remedied in program settings?
     
    Last edited: Jan 1, 2019
  11. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    1,696
    Location:
    Hollow Earth - Telos
    C:\Users\User\Downloads\flashplayer32pp_xa_install.exe
    Lockdown
     
    Last edited: Jan 11, 2019
  12. RonnyT

    RonnyT Registered Member

    Joined:
    Aug 9, 2016
    Posts:
    136
    Location:
    Planet Earth
    Looks like Comodo Dragon is on the wrong protection profile, can you check on the advanced interface --> applications and find it there.
    If it's not under browsers this will happen, in that case untick the "Application lockdown" box for it and reboot the PC then it should work.
     
  13. Lhaff

    Lhaff Registered Member

    Joined:
    Jan 12, 2019
    Posts:
    1
    Location:
    Tulsa
    Is there a way to exclude mitigation Windows System Protection background tasks. Event Viewer Below. Having same issue with windows defender (not shown)

    Log Name: Application
    Source: HitmanPro.Alert
    Date: 1/11/2019 3:44:26 PM
    Event ID: 911
    Task Category: Mitigation
    Level: Error
    Keywords: Classic
    User: N/A
    Computer: Spiderman
    Description:
    Mitigation CredGuard
    Platform 10.0.17134/x64 v771 06_9e
    PID 4020
    Feature 00170F30000001A2
    Application C:\Windows\System32\SrTasks.exe
    Description Microsoft® Windows System Protection background tasks. 10
    SAM access denied.
    Range = LBA 21631520 :256
    Read = LBA 21631520 :256
    Process Trace
    1 C:\Windows\System32\SrTasks.exe [4020]
    C:\Windows\system32\srtasks.exe ExecuteScheduledSPPCreation
    2 C:\Windows\System32\svchost.exe [1416]
    c:\windows\system32\svchost.exe -k netsvcs -p -s Schedule
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="HitmanPro.Alert" />
    <EventID Qualifiers="0">911</EventID>
    <Level>2</Level>
    <Task>9</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2019-01-11T21:44:26.232734100Z" />
    <EventRecordID>19958</EventRecordID>
    <Channel>Application</Channel>
    <Computer>Spiderman</Computer>
    <Security />
    </System>
    <EventData>
    <Data>C:\Windows\System32\SrTasks.exe</Data>
    <Data>CredGuard</Data>
    <Data>Mitigation CredGuard
     
  14. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    1,986
    Location:
    the Netherlands
    As RonnyT replied, in a similar case, March 31, 2018:
     
  15. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    1,696
    Location:
    Hollow Earth - Telos
    You are correct it was under office i think and not browser. This seems to happen after a Dragon update.
     
  16. RonnyT

    RonnyT Registered Member

    Joined:
    Aug 9, 2016
    Posts:
    136
    Location:
    Planet Earth
    HitmanPro.Alert 3.7.9 Build 773 Released

    Changelog (compared to build 771)

    Changed
    • Changed name for "Dynamic Shellcode Mitigation" back to "Heap Heap Protect". (This mitigation is still in silent detection mode).
    Improved
    • Heap Heap Protect
    • CodeCave
    Fixed
    • Trend Micro Intruder/Safe Browsing incompatibility
    Download
    https://dl.surfright.nl/hmpalert.exe

    We've enabled the automatic updater so every user of HitmanPro.Alert is automatically upgraded to this new build.
    Cheers!
    Ronny
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.