HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    BTW, which of the 4 is addressed by HMPA, besides anti-VM? Also, if I'm correct, there are several anti-VM tricks (not just one), so that is what you mean with 80% I suppose. From that 80%, about 20% of all malware will simply not run at all, the others might try to fool the sandbox, this is out of HMPA's scope, am I correct?
     
  2. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    EMET 4.1 is compatible with HMPA. EMET 5 is not. Microsoft is addressing the issue which is not HMPA related.

    MBAE beta's were compatible with HMPA. MBAE 1.04 is not. Apparantly MBAE 1.05 experimental seems compatible again with HMPA.
     
  3. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    This issue will be addressed in the RC release. Thanks for reporting :thumb:
     
  4. I explicitly mentioned (faulted) test, just asked you for your data source or an explanation how to read. Can't find your percentage in the presentation in the link you referred to. The powerpoint of that study tells me "don't believe anyone who throws data at you"

    Presentation mentions percentages of how VM discovery is distributed, not an absolute percentage on (as I understand it). I am not telling you are lying, just asking for an explanation. How did the 2014 Anti-VM add up to 81.4% in that chart?
     
  5. Again not discussing the functions of HMPA, just asking for an explanation, so 80% using the anti-RE using anti-VM is something different as 80% of the exploits stay inactivated when they detect VM. That makes sense since the article of PC World mentions that 18% of the exploit uses ANT-VM.

    As mentioned in the post above that is how I understood the percentages mentioned it shows how there are divided, but maybe Loman Brothers are so kind to explain how they add up to 81,4 based on these charts.
     
  6. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    The goal of Alert is to stop malware from deploying. The Anti-VM percentage is not specifically geared towards exploits, but malware in general.
     
    Last edited: Oct 17, 2014
  7. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    Ow it appears the figures are from this research presented at Blackhat: https://media.blackhat.com/bh-us-12/Briefings/Branco/BH_US_12_Branco_Scientific_Academic_WP.pdf
     
  8. So according to the presentation: 50.49% was packed, from the packed malware 88,96% had anti-RE of which 81.4% had ant-VM = 0,5049 x 0,8896 x 0, 8140 = 36,56% of the malware attacking Brazilian banks did check on VM-detection.

    Arbitrary data might look like FUD, which you did not intend to do, otherwise you would not have provided the source of the graphs posted. Thanks for being a sport and providing the background data, next time you throw data at us, please explain the context.
     
    Last edited by a moderator: Oct 18, 2014
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes cool, but how long will it take before they become incompatible again, know what I mean? I was just trying to figure out if it's more likely that HMPA v3 will have compatibility problems with EMET/MBAE compared to HMPA v2 which does not offer anti-exploit protection. :)

    And can someone answer my question in this post (see link)? HMPA protects against malware that is using Anti-VM methods, but does it also protect against malware using anti-debugging methods for example?

    https://www.wilderssecurity.com/thre...iscussion-thread.324841/page-104#post-2418696
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Well it's you that misunderstood. ;)

    See this post: https://www.wilderssecurity.com/thre...iscussion-thread.324841/page-103#post-2418633
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    It's good that you cleared things up, plus you got that off your chest. :D

    I basically did the same in the PCSL thread (see link), but with a shortened version. But yes the test was not done correctly and fairly IMO. Even though I can understand that Malwarebytes was curious (just like me) how HMPA would perform against certain exploits. But if you do such a test, do it correctly and with a finished product.

    https://www.wilderssecurity.com/thre...lications-aug-2014.367084/page-3#post-2417004
     
  12. Cyrano2

    Cyrano2 Registered Member

    Joined:
    Mar 19, 2010
    Posts:
    131
    Location:
    Spain
    I can't play Archeage with CTP4 because "Hackshield Pro" detects it as a debugger, had to uninstall it and now I'm back on 2.6.5 :(.
     
  13. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    This will be addressed in the RC release. As a workaround, switch from Active Vaccination to Passive Vaccination.
     
  14. Mark's quote and the graph (#2571) HitmanPro.Alert Support and Discussion Thread

    My question for background data (#2572) HitmanPro.Alert Support and Discussion Thread

    Source of Mark's claim and graph (#2575) HitmanPro.Alert Support and Discussion Thread

    Can't find the data answer (#2579) HitmanPro.Alert Support and Discussion Thread

    Reply of Mark providing other source (#2582) HitmanPro.Alert Support and Discussion Thread

    My thank you post to Mark (#2583) HitmanPro.Alert Support and Discussion Thread

    So I found the data in the second source(#2582), and understood that the ANTI-VM percentage mentioned applies to packed malware, not all malware (#2583). Reading back I realised that Mark had claimed in his first post that it concerned modern malware, not all malware.

    Arbitrary information leading to misinterpretation is that not all packed malware is modern malware, not all modern malware is packed malware. Hence my request for more context information.

    Rasheed, you are a blessed man, having such insights. I simply have to ask when I don't understand something because the numbers contradict with another source (PC World #2572) or the figures mentioned don't add up to the presented data (as explained in #2579).
     
    Last edited by a moderator: Oct 19, 2014
  15. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,242
    Nice, the next big step: RC release.
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Well, perhaps I misunderstood your question. But what I am saying is: the PC World test is unrelated to the data that Mark Loman provided. PC World says: About 20% of malware refuses to run inside the VM. Mark Loman says: 80% of modern malware is using anti-VM methods. But there are several Anti-VM methods. So of that 80%, probably about 20% do not run at all, and the other 60% might try to trick the VM.
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    @ erikloman and markloman

    I already figured out that "Active Vaccination" also protects against malware that is using "anti-debugging" methods, should have read the HMPA release notes, my bad. :)
     
  18. The concept of passive and active vaccination is smart: using malware's own evasion techniques to prevent countermeasures as a countermeasure against the malware itself will increase the cost of creating exploit-kits, because it reduces the operational up time in the period the malware has the ability to earn income while doing its job (assuming the time span in which reverse engineers are able to dissect and analyse malware remains the same). Increasing costs/reducing earnings is the most effective measure against malware, because it hurts them in the primary reason they are were build for.
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    CONFLICT ALERT

    Hi Erik and Mark

    Found another conflict. This is with a VPN Private Internet Access (-https://www.privateinternetaccess.com-) which I am testing for a laptop that will need to be used at public hotspots.

    On a random basis when I start the VPN I get a HitmanPro Alert has encountered a problem and needs to shutdown. Attached below are the details from that Appcrash. The tray icon goes away, and just restarting didn't bring back

    Once I started playing with it I realize the service was still running, and protection was still active it wasn't so bad. This morning I tried something else. When it happened again, I manually stopped the service. Then I double clicked the startmenu short cut to restart. It started but again the tray icon disappeared indicating the GUI wasn't active. When I restarted the service, it seemed to fix everything.

    Pete

    Problem signature:
    Problem Event Name: APPCRASH
    Application Name: hmpalert.exe
    Application Version: 3.0.14.89
    Application Timestamp: 542bc581
    Fault Module Name: ole32.dll
    Fault Module Version: 6.1.7601.17514
    Fault Module Timestamp: 4ce7b96f
    Exception Code: c0000005
    Exception Offset: 0003cf85
    OS Version: 6.1.7601.2.1.0.256.48
    Locale ID: 1033
    Additional Information 1: a7aa
    Additional Information 2: a7aa91f17ea749d42a4de3b390fa5b3d
    Additional Information 3: a7aa
    Additional Information 4: a7aa91f17ea749d42a4de3b390fa5b3d

    Read our privacy statement online:
    http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409

    If the online privacy statement is not available, please read our privacy statement offline:
    C:\Windows\system32\en-US\erofflps.txt
     
  20. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,242
    Pete arent you using an old build? I see: Application Version: 3.0.14.89. Current build is 3.0.15.92.
     
  21. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    Hi Peter,
    I am unable to reproduce. I purchased a subscription and tested the Private Internet Access software with Alert 3 on Windows 7 32-bit and Windows 8.1 64-bit and it worked fine. What other security software were you running? Thanks!
     
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Mark

    I am running Emsisoft EIS, Appguard, and NVT ERP. Also I use ShadowDefender, and I only use the VPN when I have SD in shadowmode. With a lot of testing I've determined it's not shadowdefender as I've also had it happen without shadwodefender. I've had no alerts or messages from any of the other programs. Oh I also have Sandboxie on the system, but I don't use it when using the VPN.

    Note that my system is Win 7x64.

    Again, it happens randomly not all the time. Also when it happens the service is still running, just no tray Icon. It just happened before I logged on here, and I stopped the service, and reclicked on start menu icon, with no result. Restarting the service and it came up both service and systray. Next time it happens I will just restart the service and see what happens.

    If there is anything I can get you that would help let me know.

    Pete
     
  23. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,131
    Location:
    Baden Germany
    @Peter2150:
    Don't You think, You are "a little" over protected, eventually paranoid, running so much security software at the same time?

    Also You forced Mark to buy a unnecessary subscription, cause You did not provide enough information, about that massive amount, of security software, in the first place.

    I am happy to run MSSE, Malwarebytes and HMP.Alert at the same time, without any issues.
     
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Deugien

    You know you are right. I have installed the later build but somewhere along the line a rollback or restore set it back. Will fix that immediately

    Thanks for the heads up.

    Pete
     
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    1st.
    Every one of those programs has a unique feature that fills a current, or possible future hole.
    Also you assume I run them all at the same time.I don't necessarily.
    Finally my security requirements are probably much different then yours.

    2nd
    I believe Erik does have my security setup, but that aside I did what I always do in the 7 years I've been beta testing.
    I report the problem giving as much detail about the problem and then wait to see what the developer needs.
    Based on response of Mark here and Erik also, as soon as they can take money, I am buying HMP Alert.

    3rd
    I am glad your setup works for you but it wouldn't work for me.

    Pete
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.