HitmanPro.ALERT Support and Discussion Thread

It's probably complaining about the "hmpalert.dll" file that gets loaded into almost every running process. In theory, HMPA shouldn't interfere with apps if they are not protected by exploit mitigations. Do you get to see this file injected into any Norton process?

 

Stop looking at Security History - problem solved!

 

Random browsing tonight Norton stopped this (exploit?), HMPA didn't seem to stop it. I wonder if the two products are fighting? I was on a pretty known website, and a sidebar tried to open and this happened.

 

Norton stopped it on network level (IPS), so HMPA couldnt block it in first place because the exploit didnt even start.

 

No exploits have to be loaded if your configuration is up-to-date. AV's might be able to detect the general landing page of EKs that are used to load certain exploits based on the configuration of a pc.

 

Yes, fully agree with that. My point is that Hitman Pro Alert didnt warn about that particular exploit because it was stopped on network level, so in these cases we cant see the kind of protection HMPA gives to the user.

 

Makes sense. I stop countless exploits/threats on my gateway, never giving anything a chance to fire off. This was the rare case where something tried to inject into my browsing session and was stopped by Norton IPS. Norton has a fairly robust IPS, one of the reasons I like it. Since the threat was dealt with, it looks like it never got handed off to HMPA.

 

As it turns out, updating from previous RC deleted my tester's key (or at least I believe this happened) - as today when playing with the settings I noticed HPA was not activated. Reinserting it activated it again.

 

Can HPA help with OEM malware https://www.us-cert.gov/ncas/alerts/TA15-051A

 

Please see the HitmanPro forum: https://www.wilderssecurity.com/threads/hitman-pro-support-and-discussion-thread.236732/page-256

 

posted link opens here #6376 what am I looking for ?

 

That is correct.
Scroll down a few pages to the 'superfish' topic (post from Eric Loman, the developer)

 

Okay, I found #6389 ~ Thanks

 

Direct link to his post so no one miss it:
https://www.wilderssecurity.com/thr...iscussion-thread.236732/page-256#post-2460981

 

Actually, the question was about HMP.Alert, not HMP. HMP removes Superfish, but it would be interesting to see if Alert could detect and warn or block these kinds of SSL hijacking techniques.

 

Something like Certificate Pinning in EMET 5 ?

 

Perhaps, or something else. Zemana for example prevents the browser from trusting the Root cert: https://www.wilderssecurity.com/thr...e-on-new-computers.373547/page-3#post-2462095

 

I think Zemana will detect as long as it tries unusual hook, installing cert, or html injection.
As to detect or block, I don't much care about. Tho surely basically block is better, it can cause more problem and if I got alart I won't go on until I'm convinced that it's FP.

Yes, you're right and I brougt Zemana just as an example, sorry if it caused A vs B thing. I just want to know how exactly HMPA's browser protection work, as I can't find much resource contrary to exploit mitigation. You said in past posts it do passive scan, but what passive means?

Also I guess HMPA detect code injection and some API hook often used by banking malware?

You don't need to worry about it. It is due to Norton's self protection, and it should warn against other program as well even including some OS's process. Basically they won't cause actual problem.
HMPA worked fine with my NIS2014.

 

Still using HMPA makes a little sense regarding exploit (but remember, HMPA is not just anti-exploit). I admit Norton's IPS is one of the best, and combining strong UTM eliminates most of exploit including known 0day even before they arrive your PC, but when it comes to unknown 0day, most likely they can't stop it, tho there can be a little chance that their heuristics stops it (Kaspersky once blocked unknonw flash exploit by heuristic sig),and tho Norton's UxP claims it can stop even unkonw 0day exploit.
Also if the attack is highy obfuscated, i.e. leveraging Advanced Evasion Technique all IPS may (or may not) miss it. But bypassing HMAP requires completely different technique so it puts another obstacle for successful exploit.

I don't think they do cert pinning. Probably they check installed rootCA against DB and if unusual one was detected block it.

 

Advanced Evasion Techniques aren't really necessary in all cases, even custom made code will likely be able to bypass quite a number of AV engines. If you look at 0days that have been used ITW, then very few of them used any obfuscation. And heuristics don't always catch everything either. But if you look at suspicious behaviour like dropping executables from RWX memory on the heap, then things get more interesting. Furthermore, the most challenging part of bypassing HMPA/MBAE seems to be the Application Lockdown feature. EMET, HMPA and MBAE all have roughly the same limitations with regard to Stack Pivot, Caller Check and Heap Spray pre-allocation. Although there are small differences with regard to bypassing the three of them.
1) The Caller Check mitigation in EMET is weaker than in HMPA/MBAE.
2) EAF+ is a real killer, It will severely impact the use of an info leak (RW access to memory) and an info leak is sort of crucial when dealing with ASLR. I am not aware of any publicly documented way of bypassing EAF+ besides hard coding offsets. If you can reduce the effect of info leaks that allow RW access to memory, then you've hit the jackpot (hint, hint)

 

Ofc having memory protection is better, but combining perimeter defense as layered security don't harm anything as either is not perfect. NIPS can even block kernel exploit as long as signature matches (at least AV vendor have signature for them), and it shorten vulnerable period until official patch.

Anyway, as always much appreciate your detailed explanation.

Sure, it seems info leak as a measure to bypass ASLR is becomming popular recently (I think until recently leveraging non-ASLRed components was more common, right?) tho it usually requires another vuln such as buffer over-read, and I hope finally HMPA & EMET introduces EAF+. As to performance, if it was just an option and disabled for most apps I don't expect too much problem.
I don't know much about EAF bypass technique, but he claimes EAF+ does not protect against EAF bypass.

 

In the early days there were enough non-ASLR modules. For example:
WinXP:
No ASLR available

Win 7:
Java JRE 6 - EOL
MS Office 2007/2010 HXDS.DLL (http://www.greyhathacker.net/?p=585) - patched more than a year agoby MS

But nowadays you can't really rely on them anymore (Force ASLR).
Flash player is currently the most used way to bypass ASLR in exploit kits and you don't always need two vulnerabilities. If you can write 1 byte to an arbitrary location in memory, then you have a high chance of being able to bypass aslr.

The technique that is primarily used to bypass ASLR has been documented by FireEye: https://www.fireeye.com/blog/threat...s-apocalypse-in-lately-zero-day-exploits.html. (CVE-2013-0634 and CVE-2013-3163 are the relevant parts)
(NB: other techniques are also available and have also been presented at several conferences)

About the EMET 5.0 review written by dabbad00:
He used EMET 5.0 TP and I noticed that EAF+ in the Technical Preview offers less protection then EAF+ in the final versions of EMET 5.0/5.1. Although I haven't tested every part of the EAF and EAF+ mitigations (not worth spending time on)

 

Hi Erik,

When opening wPrime (2.09) I get the following warning:

http://i49.photobucket.com/albums/f296/maniac2003/HMPA%20-%20alert.jpg

How do I prevent such warnings or is this a false positive?

 

False positive. Set vaccination (Inenting) to passive to workaround.