HitmanPro.ALERT Support and Discussion Thread

Even HMPA 546 with LO x86 - 4.3.7.2 produces the same result here...

 

Thanks very much for checking, Ronny.
I think I didn't remember correctly.

I looked up an old capture of HMPA "Running applications". It's from April 27, 2016. It shows soffice.bin (32 bit), and not swriter.exe, scalc.exe, simpress.exe and sdraw.exe.
So, if the situation that I thought I remembered ever existed, it must've been before April 27, 2016.
But I think best chance is that I didn't remember correctly. I'm sorry.

Thanks again, Tinstaafl and RonnyT!

 

Are there known issues with Microsoft Edge or explorer.exe with the latest build (HitmanPro.Alert 3.7.8 build 750) on Windows 10 Home 64-bit v 1803 build 17134.165?

Prior to this the issue didn't occur.
-Microsoft Edge closes within 20-30 seconds after opening it. The Windows event log shows about 15+ errors during this time period.
-Explorer.exe has been crashing, The start menu's responsiveness is not working as it was.

Tried:
-Disabling Edge and Edge Content Protection Mitigations and Intruder Detection
(I disabled mitigations tried opening Edge, Reapplying and Rebooting). They are now removed,
-Disabled: (Security Acct Manager), BadUSB, Webcam Notification

Using Windows Defender (Anti-malware Client Version: 4.18.1806.18062)
Windows/Microsoft Updates are Current.
Zemana Antimalware is also enabled, but disabling it does not resolve the issue,

Do I need to open a ticket?

 

I don't know about explorer.exe,
but there is a known issue regarding Microsoft Edge, see:

 

Thanks for the quick response! I may be? I have the Home Edition.

I looked under Apps and Browser Control > Exploit Protection Settings > Program Settings in Windows Defender's GUI: Below are what I found:

-It's running with default settings except for Auto Sample Submission (never modified them). The only thing disabled is Mandatory ASLR
-What's enabled: CFG, DEP, Bottom-up ASLR, High Entropy ASLO, Validate Heap Integrity, and SEHOP

Did that help/answer the question? Let me know if I can provide more info or send filtered event log when reproduced if needed.

 

I hope that QA Engineer @RonnyT (or developers @erikloman or @markloman) can respond to your today's reports #14975 and #14977.

 

Thanks, tho it seems our symptoms are somewhat different.

 

Should I just contact the support email for my issue? Can anyone here help me out?

 

You could wait and see if QA Engineer @RonnyT (or developers @erikloman or @markloman) may respond to your reports #14975 and #14977, but if that is taking too long, and if no one else can help you out, you can contact support, of course.

 

Still on build 604 on two Vista x64 systems because it's the latest one that works on that OS.

Working fine on a Vista test laptop, but lately on my main work machine, every time I click on "Scan computer" in the UI, HMP.A fails within a few seconds.

Any suggestions on how to get it working again on that system?

 

Is that with or without the standalone HMP installed?
If scanning from HMPA fails, and HMP is not installed, install HMP and see if that resolves the issue.
In case HMP was already installed, I have no suggestion what to try.

 

I discovered an old copy of HMP (version 3.8.0.295) sitting in the Downloads folder. I clicked on the .exe file but it didn't formally install HMP; instead, it ran an HMP scan that finished normally.
Afterward, I launched HMP.A and now the built-in scan is working again.
Thanks for the idea!

 

Was HMP version 3.8.0.295 (which is the current version) installed already, before you ran the installer?
The installed HitmanPro.exe is in C:\Program Files\HitmanPro
In that location (and also in Windows Control Panel's Programs and Features, of course) you can see if and when HMP was installed.

If the HMP installer is ran when HMP is not yet installed, after running the scan it offers to install.
If you ran the installer, and it only ran a scan, and after that it did not offer to be installed, I suppose it was already installed.

Anyway, good that your issue seems to be fixed, for now.

 

The first time you run HMP it asks whether you want to install it or not. I presume that if you choose not to install it it acts like a portable program.

 

Thanks.

To answer your question: no, HitmanPro (any version) was not installed when I ran version 295. As far as I can remember, it wasn't on the list of installed programs and, while there was a HMP folder in the Start menu, the sub-item under it said "(empty)", so it had been installed at some point in the past. Now after running HMP, that sub-folder still says empty, but HMP does appear on the list of installed programs, and it does now have a folder in C:\Program Files. So I guess that the bottom line is that it did get installed when I ran it yesterday, although honestly I have no memory of it asking to install at any stage in the process.

CAVEAT: I hadn't had my morning coffee yet when I did all that yesterday, so all recollections are suspect.

 

false positive for chrome 67

But I am not on latest HMPA.

Code:

Mitigation   ROP

Platform     6.3.9600/x64 v728 06_9e
PID          2040
Application  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Description  Google Chrome 67

Callee Type  AllocateVirtualMemory
             0x00002B2DCA284000 (86016 bytes)

Branch Trace                              Opcode  To                                    
---------------------------------------- -------- ----------------------------------------
0x00007FFCA42ED400 chrome_child.dll          RET  0x00007FFCA4305A4B chrome_child.dll ^0002

0x00007FFCA7B5D656 chrome_child.dll          RET  0x00007FFCA42ED3F8 chrome_child.dll ^0002

0x00007FFCA432E2D5 chrome_child.dll          RET  0x00007FFCA42ED3E8 chrome_child.dll ^0006

0x00007FFCA42ED400 chrome_child.dll          RET  0x00007FFCA4305A36 chrome_child.dll ^0001

0x00007FFCA7B5D656 chrome_child.dll          RET  0x00007FFCA42ED3F8 chrome_child.dll ^0002

0x00007FFCA432E2D5 chrome_child.dll          RET  0x00007FFCA42ED3E8 chrome_child.dll ^0006

0x00007FFCA42ED400 chrome_child.dll          RET  0x00007FFCA43059CF chrome_child.dll ^0002

0x00007FFCA7B5D656 chrome_child.dll          RET  0x00007FFCA42ED3F8 chrome_child.dll ^0002

0x00007FFCA432E2D5 chrome_child.dll          RET  0x00007FFCA42ED3E8 chrome_child.dll ^002A

RtlAcquireSRWLockExclusive +0x2f             RET  0x00007FFCA4305989 chrome_child.dll ^0035
0x00007FFCD7B4ABCF ntdll.dll                                                            

RtlReleaseSRWLockExclusive +0xc              RET  0x00007FFCA43057C0 chrome_child.dll ^0057
0x00007FFCD7B4B67C ntdll.dll                                                            

0x00007FFCA4305B04 chrome_child.dll          RET  0x00007FFCA4305A1E chrome_child.dll ^0001

0x00007FFCA7B5D656 chrome_child.dll        ~ RET* PeekMessageW +0xa ^0004                
                                                  0x00007FFCD6CA298A user32.dll          
                    4889742418               MOV          [RSP+0x18], RSI
                    57                       PUSH         RDI
                    4883ec30                 SUB          RSP, 0x30
                    654c8b142530000000       MOV          R10, [GS:0x30]
                    418bd9                   MOV          EBX, R9D
                    418be8                   MOV          EBP, R8D
                    4981c200080000           ADD          R10, 0x800
                    488bfa                   MOV          RDI, RDX
                    488bf1                   MOV          RSI, RCX
                    4885d2                   TEST         RDX, RDX
                    0f85c2000000             JNZ          0x7ffcd6ca2a7b
                    4d8b5a60                 MOV          R11, [R10+0x60]
                    4d85db                   TEST         R11, R11
                    0f84b5000000             JZ           0x7ffcd6ca2a7b
                                         (8B9DFF0027E926F3)


WinSqmCheckEscalationSetDWORD +0xf4          RET  +0x470f1 ^09A6                        
0x00007FFCD7B916D4 ntdll.dll                      0x00007FFCD00B70F1 hmpalert.dll        

Stack Trace
#  Address          Module                   Location
-- ---------------- ------------------------ ----------------------------------------
1  00007FFCD50817CB KernelBase.dll           VirtualAlloc +0x4b

2  00007FFCA42DC445 chrome_child.dll      
                    4885c0                   TEST         RAX, RAX
                    0f95c0                   SETNZ        AL
                    4883c428                 ADD          RSP, 0x28
                    c3                       RET        

3  00007FFCA4305AEC chrome_child.dll      
4  00007FFCA4305A1E chrome_child.dll      
5  00007FFCA43057C0 chrome_child.dll      
6  00007FFCA53A3EE9 chrome_child.dll      
7  00007FFCA4A92980 chrome_child.dll      
8  00007FFCA4A90E6E chrome_child.dll      
9  00007FFCA53A6404 chrome_child.dll      
10 00007FFCA4A8D3DD chrome_child.dll      

Code Injection
0000005248D30000-0000005248D31000    4KB C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [4564]
0000005248D4F000-0000005248D50000    4KB
00007FFCD7BA0000-00007FFCD7BA1000    4KB
00007FFCD7BA1000-00007FFCD7BA2000    4KB
00007FF70DCB8000-00007FF70DCB9000    4KB
0000005248D50000-0000005248D51000    4KB
00007FF70DCB4000-00007FF70DCB5000    4KB
1  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [4564]
chrome.exe  --cipher-suite-blacklist=0xc009,0xc00a,0xcc15,0x009e --disable-3d-apis --enable-backing-store-limit --disable-breakpad --disable-client-side-phishing-detection --disable-cloud-import --enable-direct-write --disable-java --disable-password-gener
2  C:\Windows\System32\cmd.exe [4700]
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Google\Chrome\Application\chrome.bat" "
3  C:\Windows\explorer.exe [3580]
4  C:\Windows\System32\userinit.exe [3544]

Process Trace
1  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [2040]
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --disable-in-process-stack-traces --autoplay-policy=no-user-gesture-required --blink-settings=disallowFetchForDocWrittenScriptsInMainFrame=true --default-tile-width=128 --default
2  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [4564]
chrome.exe  --cipher-suite-blacklist=0xc009,0xc00a,0xcc15,0x009e --disable-3d-apis --enable-backing-store-limit --disable-breakpad --disable-client-side-phishing-detection --disable-cloud-import --enable-direct-write --disable-java --disable-password-gener
3  C:\Windows\System32\cmd.exe [4700]
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Google\Chrome\Application\chrome.bat" "
4  C:\Windows\explorer.exe [3580]
5  C:\Windows\System32\userinit.exe [3544]

Thumbprint
59f6b077fe903aedc9065408c52b42da89f16677570434196b2e4a31d41d73f9

In risk reduction what are default and what are recommended options to tick if different to default?

 

Just unticking SAM under Credential Theft Protection, but I don't think that's the issue here ...

 

I have same issue with MicrosoftEdge, the only way I found to work is disabling Hitman.Pro Alert service and reboot, if I stop the service during an active session the problem will not fix,

is strange, because I don't even have Windows Defender Application Guard enabled, I found many dcom errors inside the log, but launching process monitor I have a doubt, I saw this entry: see image

Do you mind take a look at this ProcessMonitor .pml?

I think cannot be addressed user side.

Then going on into the log I noticed BufferOverflow, that maybe what is going on and ending crashing Edge: see image 2

Being the fact that probably the first thing that is loaded is the driver, maybe the hmpalert.sys the cause? Will be coherent with what I observed with the service disabled on boot. Not sure...

After disabling all exploit protections inside Security Center, Edge work fine, now to see what specific voice create the issuee.

Disabling CFG into Security center did the trick, anyway, I have another machine with it enabled and Edge opening fine, not sure

Spoiler: Logfile

https://nofile.io/f/JKDSEqdQ6cU/Logfile.7z

 

HMPA causes theTP-Link admin page to stall and be completely unusable. I had to uninstall HMPA to use it
TP-Link N300 WiFi Range Extender (TL-WA855RE)

 

HMPA has had problems with TP-Link since Sep 2015, if you do a search for 'TP-Link' on this thread.

 

September 18, 2016, Erik wrote,

Was such fix for TP-Link never applied?

 

False positive alarm (3.7.8 build 750). Newest HitmanPro, Emsisoft Emergency Kit, Malwarebytes Anti-Malware and Dr.Web Cure It is found nothing.

 

Dr. Web Cure is spawning a file which wants to read the memory of LSASS.exe and the Credential Theft mitigation of HMP.A is correctly blocking it.
If you want to Dr. Web Cure do its job fully, the Credential Theft mitigation needs to be disabled.

 

@MikeRepairs, I had in 2015/2016 same problems with TP-LINK WDR3600, I am not sure what is the reason, I remembered the devs also trying fix this issuee back then buying a tplink router themself, I suspect is the randomness of the login page that is created as security measure;

anyway, on same router I then installed dd-wrt because I was stressed of this thing, and worked fine

 

Thank you!