Troubleshoot SpyShelter misbehaving in the presence of HitmanPro.Alert

[conceptualclarity]

I have had SpyShelter Premium since the start of July. A couple of days ago I decided to re-install Hitman Pro.Alert full edition. (It had been thrown off my computer a few months ago when ESET got upset over an update.) After I brought back HMPA, SpyShelter began behaving perversely. It blocked the uploading via my context menu of the HitmanPro.exe setup file to the online VirusTotal. It blocked, strangely enough, my use of the bug report option on the SpyShelter GUI. It blocked my opening of my AmazonSmile bookmark on my Maxthon browser. It did all of these things with a notification saying "AntiNetworkSpy: SpyShelter blocks setting hooks for process Maxthon.exe(PID=????)"

SpyShelter support told me:

You need to go to Settings > Security > List of processes which are not monitored by AntiNetwork Spy Module and include HMPA in the list.

That didn't help, to my surprise. I told them:

Thank you for your help. I did as you said, putting hmpalert.exe in List of processes which are not monitored by AntiNetwork Spy Module. I find that the same behavior by SpySyhelter continues. It did all three of the things I mentioned above, and in addition it blocked my effort to open this page by clicking on the link in the email. In each case I got the notification mentioning Maxthon hooks. (I was able to open this page by pasting the link in the address bar.) So, although it seems inappropriate, should I add Maxthon browser to the List of processes which are not monitored by AntiNetwork Spy Module?

They responded:

Have you added Maxthon.exe to the exceptions list in List of processes which are not monitored by AntiNetwork Spy Module?

I added Maxthon to that exclusion list, and things went better for a while. Then I tried to open VLC media player, and I got trouble again, with SpyShelter blocking it.

SpyShelter support said:

You might also try to play around with HPA settings since it tries to hook into the browsers to provide protection, and since SpyShelter is already doing it, it locks HPA out. Other way around, you might as well attempt to disable AntiNetwork Spy Module but it will lower the security provided by SpyShelter.

Well, I can't articulate right now what AntiNetwork Spy Module does, but it sounds useful, and I don't want to disable it.

What are hooks and what is hook-setting? I tried my techterms.com and computerhope.com
Computer Dictionary bookmarks and came up empty. So, also, can someone suggest a better computer definitions webpage? Or maybe a big PDF

This is what appears to me to be the main configuration area for Hitman Pro.Alert full edition. I don't know where I can go to deal with HMPA hooks.

By the way, all of these things were enabled by default except "BadUSB" for which enabling was recommended. By default it has "Passive vaccination" enabled and "Active vaccination" only recommended. Are there problems with Active vaccination? I disabled HMPA keystroke encryption because, even with SpyShelter not running, it made my arrow unstable. Any comments on these things from HMPA fans?

Any way I can make SpyShelter and Hitman Pro.Alert be happy together? I really don't want to dump either of them, because I have paid for both of them. There is some overlap in their functions, but more difference, I think.

 

[Logethica]

Hi @conceptualclarity
Of the 2 software that you mention I only have spyshelter (currently premium thanks to a giveaway)..
As you know there are many occasions when incompatibility is a factor with software, and this may be one of those situations.
Hopefully you will get a reply on this thread from someone with knowledge of running those 2 programs together,and that can give you a method to make them compatible with each other..
Personally,if you want to keep both then I would disable the "Anti-Network Spy" components..these are not present in the free version of Spyshelter as you probably know..

Settings > List of monitored actions >
uncheck options:
33- Setting hook to monitor network requests
34- accessing to raw socket

Because,like you,I would prefer to have these options ticked..
(I have them ticked and have had no problems with Avast, Sandboxie, Voodooshield, Crystal security,or MAE)..
I would suggest (if you cannot make them compatible) to remove HMPA and replace it with another soft.

I apologise that I cannot give you any direct SS + HMPA experience advice.

 

[_CyberGhosT_]

I have tried the paid version of SpyShelter and it lasted about 24hrs, I gave it to a friend.
For some setups you will find an abundance of blocks, and you have to whitelist them or they will not run.
I think Spyshelter is ok software, but a bit over aggressive. IMHO I would remove Spyshelter and just run HMPA
I had a large number of safe and known software blocked by Spyshelter, so many infact I became exasperated
and that was the end of that. THis is something the Dev's need to address if they want a larger userbase.

 

[conceptualclarity]

Hi @conceptualclarity
Of the 2 software that you mention I only have spyshelter (currently premium thanks to a giveaway)..

Wow, never saw a SpyShelter giveaway.

Hi @conceptualclarity
Personally,if you want to keep both then I would disable the "Anti-Network Spy" components..these are not present in the free version of Spyshelter as you probably know..

Settings > List of monitored actions >
uncheck options:
33- Setting hook to monitor network requests
34- accessing to raw socket.

What is hook-setting? Only one program at a time can do it, I take it?

Before this mess with HMPA I would get a message from SpyShelter every time I opened Firefox along the lines of "AntiNetworkSpy: SpyShelter blocks setting hooks for process firefox.exe(PID=????)", but it never had any practical effect I could discern.

What is "accessing to raw socket"?

I see something about "trusted signers" at the end of "Settings" in the SpyShelter Help file. Would it help to make HMPA a trusted signer? I wonder where would I go to do that?

I have tried the paid version of SpyShelter and it lasted about 24hrs, I gave it to a friend.
For some setups you will find an abundance of blocks, and you have to whitelist them or they will not run.
I think Spyshelter is ok software, but a bit over aggressive. IMHO I would remove Spyshelter and just run HMPA
I had a large number of safe and known software blocked by Spyshelter, so many infact I became exasperated
and that was the end of that. THis is something the Dev's need to address if they want a larger userbase.

I understand your experience. I have gotten a lot of notifications from SpyShelter, but I figure they will diminish as SpyShelter learns. I've been patient with these notifications because they are a learning experience for me, given my much lesser knowledge compared to you.

HMPA amd SpyShelter are both great software with great testing results, and I'm loathe to give up either one of them.

I am surprised that SurfRight apparently gives no support for the HitmanPro.Alert program. I see no option for it on the GUI or the webpage.

 

[Gdant]

I am surprised that SurfRight apparently gives no support for the HitmanPro.Alert program. I see no option for it on the GUI or the webpage.

Surfright is acquired by sophos, so try to contact them for support. It may help they will provide you the necessary steps to follow.

 

[_CyberGhosT_]

Wow, never saw a SpyShelter giveaway.



What is hook-setting? Only one program at a time can do it, I take it?

Before this mess with HMPA I would get a message from SpyShelter every time I opened Firefox along the lines of "AntiNetworkSpy: SpyShelter blocks setting hooks for process firefox.exe(PID=????)", but it never had any practical effect I could discern.

What is "accessing to raw socket"?

I see something about "trusted signers" at the end of "Settings" in the SpyShelter Help file. Would it help to make HMPA a trusted signer? I wonder where would I go to do that?



I understand your experience. I have gotten a lot of notifications from SpyShelter, but I figure they will diminish as SpyShelter learns. I've been patient with these notifications because they are a learning experience for me, given my much lesser knowledge compared to you.

HMPA amd SpyShelter are both great software with great testing results, and I'm loathe to give up either one of them.

I am surprised that SurfRight apparently gives no support for the HitmanPro.Alert program. I see no option for it on the GUI or the webpage.

Sophos Purchased the Hitman line, I would contact Sophos Support and they can direct you to the appropriate Support group.
And remember my suggestions are only that "suggestions", as long as your content my friend thats what matters

 

[conceptualclarity]

Thanks for the good suggestions, guys. I have now gone to the Sophos website and spent a lot of time and effort there. I see no acknowledgement of SurfRight, and as best I could determine the site is not set up to do any support for SurfRight products. The phone support it says is only for "urgent or critical issues".

 

[_CyberGhosT_]

Thanks for the good suggestions, guys. I have now gone to the Sophos website and spent a lot of time and effort there. I see no acknowledgement of SurfRight, and as best I could determine the site is not set up to do any support for SurfRight products. The phone support it says is only for "urgent or critical issues".

The Acquisition happened not log ago, so it may be a bit before things are sorted out.
If your going to continue to use that product it will require patience, or one of the HMPA gurus here may lend a hand.

 

[Logethica]

What is hook-setting? Only one program at a time can do it, I take it?

What is "accessing to raw socket"?

@conceptualclarity ..
My knowledge level is not high enough to be able to properly explain these functions.....perhaps one of MTs "Advanced knowledge" users can help.
When I was deciding initially whether to leave these options checked,I read..

SpyShelter AntiNetworkSpy proactive module prevents dangerous trojans from stealing your private information, while making important SSL internet transactions. It also blocks HTTP/HTTPS trojans on user level as well as POP, SMTP, FTP, loggers.
I searched online at the time for pro's and con's of this,bit I could not find any useful information..

Regarding The possible Incompatibility of SS & HMPA...
Have you tried going into..
SpyShelter > Settings > Security > Check- Decrease Self-Defence to Improve Compatibility with 3rd-Party Software

Also,If SpyShelter Initially blocks/adds to blacklist an action that I want to allow then I..
Go into Rules > The action blocked will have a red circle next to it..click on the red circle and select the option to "make it allowed"...This will prevent future problems with that action.
You could also...(If you haven't already) Right-Click on your HMPA Desktop Icon > Scroll down to Spyshelter option and click "Add to exclude list"

 

[conceptualclarity]

Thank you very much, Logethica.

@conceptualclarity ..
My knowledge level is not high enough to be able to properly explain these functions.....perhaps one of MTs "Advanced knowledge" users can help.

I hope someone will.

@conceptualclarity ..Regarding The possible Incompatibility of SS & HMPA...
Have you tried going into..
SpyShelter > Settings > Security > Check- Decrease Self-Defence to Improve Compatibility with 3rd-Party Software

I am running that past SpyShelter support.

@conceptualclarityAlso,If SpyShelter Initially blocks/adds to blacklist an action that I want to allow then I..
Go into Rules > The action blocked will have a red circle next to it..click on the red circle and select the option to "make it allowed"...This will prevent future problems with that action.

My setting for SpyShelter is "Ask user". I checked Rules, and VLC doesn't have a red circle. I went on ahead and set it to "trusted signer", but even after doing that SpyShelter gives me that hooks message and blocks it.

 

[Logethica]

My setting for SpyShelter is "Ask user". I checked Rules, and VLC doesn't have a red circle. I went on ahead and set it to "trusted signer", but even after doing that SpyShelter gives me that hooks message and blocks it.

Try changing your SS settings from "Ask User" to "Auto Allow -High Security Level" (That is what I have)..
And in "Keystroke Encryption" > Advanced >Hooks Guard > Select- Better Compatibility mode

 

[conceptualclarity]

Try changing your SS settings from "Ask User" to "Auto Allow -High Security Level" (That is what I have)..
And in "Keystroke Encryption" > Advanced >Hooks Guard > Select- Better Compatibility mode

Better Compatibility mode is what I already had, probably as a default.

I changed the basic setting to Auto Allow -High Security Level as you suggested, and it still blocks VLC player.

SpyShelter support says:

You just need to add VLC to AntiNetworkSpy exceptions in Settings > Security > List of processes which are not monitored by AntiNetwork Spy Module.

This happens because HMPA tries to hook into VLC and SpyShelter is preventing it.

I feel like I'm going around in circles. Yes, I can add VLC to that, but what's the next program SpyShelter will block just because it's pissed about HitmanPro.Alert's activity? It seems to me that if indeed there is not one measure I can take to stop SpyShelter from all throwing a fit over HitmanPro.Alert, there is something in the design of the program that needs addressing.

Maybe I need to choose "Disable" under "Hooks Guard". But first I'd like someone to help me have a good understanding of what the heck hooks are.

Meanwhile I don't know if I'm going to be able to communicate with SpyShelter support further, because now every effort to load my ticket thread's page in Maxthon or Firefox fails, and there is no replying to him by email.

 

[shmu26]

what about uninstalling spyshelter and reinstalling it again? did you try that one?
It will remember your settings and all the processes you have okayed, and just take it on from there.
I don't think these two softwares should conflict, unless it is actually caused by your AV. This has happened to me -- the AV caused in indirect conflict with Spyshelter.
If your AV has BB or HIPS, you might be in for trouble, with spyshelter.

 

[Logethica]

@conceptualclarity ... Send an email to Erik Loman (Surfright Rep) erik@surfright.com He should be able to help you with HMPA..

It may also be an idea to delete all of your spyshelter rules,as if you have any active "local" blocking rules in place then they may perhaps trump any "general" software exceptions that you have performed.
I cannot find other instances of an SS + HMPA conflict online.

 

[conceptualclarity]

what about uninstalling spyshelter and reinstalling it again? did you try that one?
It will remember your settings and all the processes you have okayed, and just take it on from there.
I don't think these two softwares should conflict, unless it is actually caused by your AV. This has happened to me -- the AV caused in indirect conflict with Spyshelter.
If your AV has BB or HIPS, you might be in for trouble, with spyshelter.

@conceptualclarity It may also be an idea to delete all of your spyshelter rules,as if you have any active "local" blocking rules in place then they may perhaps trump any "general" software exceptions that you have performed.

Am running all of these ideas past SpyShelter support. I did in fact re-install (I believe without an uninstall) SpyShelter in my first few days of trialing it, and that solved a big problem at that point. So I'm seriously considering that.

@conceptualclarity ... Send an email to Erik Loman (Surfright Rep) erik@surfright.com He should be able to help you with HMPA..

Thanks for that suggestion. I will do it as soon as I have time.

Fortunately that webpage loading problem resolved.

 

[conceptualclarity]

I made this post to SpyShelter support on August 17:

Hello [...],

You just need to add VLC to AntiNetworkSpy exceptions in Settings > Security > List of processes which are not monitored by AntiNetwork Spy Module.
This happens because HMPA tries to hook into VLC and SpyShelter is preventing it.

I can do that, but I assume I will keep running into the same problem over and over with other applications.

Could you answer me directly: there must be a lot of people running both SpyShelter Premium and HitmanPro.Alert full edition. Are they having the same problems I'm having?

Somebody at a computer forum had a couple of suggestions. He thought it could have something to do with ESET HIPS or BB. I would note, however, that my ESET and SpyShelter seemed to be getting along fine before I re-installed HMPA.

He also suggesting uninstalling and re-installing SpyShelter and said it will remember my settings and processes decisions. I did uninstall and re-install in my first few days of having the program, and that did correct malfunctioning at that point. What do you think of that idea?

Another poster said:

It may also be an idea to delete all of your spyshelter rules,as if you have any active "local" blocking rules in place then they may perhaps trump any "general" software exceptions that you have performed.

Best Regards,
[...]

Apparently the individual at SpyShelter support is tired of dealing with me. He has yet to respond.

Tonight I clicked Forward on an email in Outlook Express. I had HitmanPro.Alert on, and SpyShelter was running, but protection was disabled. My arrow went crazy within that opened email, wandering around without being subject to my control. I stopped the HMPA service, and my arrow behaved normally in the email. Then I terminated SpyShelter and restarted HMPA. My arrow continued to behave normally within the email. So SpyShelter is throwing a fit over HMPA even when SpyShelter is running with protection disabled.

I do intend to contact Erik Loman.

 

[King Alpha]

I also tried to terminate SPS' process but to no avail. Some programs including WinPatrol are still not starting. I have no choice but to uninstall SPS and it solved my problem.

@conceptualclarity I'm glad you sorted out your problem with SPS.

 

[conceptualclarity]

I also tried to terminate SPS' process but to no avail. Some programs including WinPatrol are still not starting. I have no choice but to uninstall SPS and it solved my problem.

Thank you for your comment, King Mellow. I haven't had any program crippled by SpyShelter so far myself. This version of SSP can be terminated via its context menu or, if you so configure it (as I have), via Task Manager.

@conceptualclarity I'm glad you sorted out your problem with SPS.

Actually I haven't quite got it sorted out. I'm still going to do some more inquiring about getting these two excellent programs to run together. If that fails, I may alternate use of them.

 

[shmu26]

Maybe this will help you:
I tried to run SpS with Kaspersky Internet Security, and it did cause a conflict.
The SpS support gave me a piece of advice that worked well: install SpS without keystroke hooks. It is not enough to just turn off keystroke protection -- you have to uninstall, and then reinstall without those mean hooks.
You just untick that box at the beginning of the installation process. I think this might solve your problem.
It only affects the keystroke encryption and the core-level anti-keylogger. All other modules will function normally.

 

[King Alpha]

Maybe this will help you:
I tried to run SpS with Kaspersky Internet Security, and it did cause a conflict.
The SpS support gave me a piece of advice that worked well: install SpS without keystroke hooks. It is not enough to just turn off keystroke protection -- you have to uninstall, and then reinstall without those mean hooks.
You just untick that box at the beginning of the installation process. I think this might solve your problem.
It only affects the keystroke encryption and the core-level anti-keylogger. All other modules will function normally.

This might be the solution to our problems with SpyShelter. Thanks @shmu26