HitmanPro.ALERT Support and Discussion Thread

@erikloman @markloman

Could you take a look at this? There is a thread at the Malwarebytes forum where a user said that Cryptoguard failed against TeslaCrypt.

https://forums.malwarebytes.org/ind...ebytes-beats-hitmanpro-alert-on-its-own-game/

 

Is zip okay....my dump is >500mb

 

The OP didn't even confirm what version of HMPA he had installed. The only useful info is the malware itself; maybe Erik can get a sample and have a look at it?

http://www.bleepingcomputer.com/for...version-released-that-uses-the-exx-extension/

http://www.bleepingcomputer.com/virus-removal/teslacrypt-alphacrypt-ransomware-information

 

okay ~ zip <200mb ~~ OneDrive

 

No problems with Firefox 38.0. Also no problems with flash 17.0.0.188 (W7 64 bits/build 187).

 

Yes, Keystroke Encryption is working again now I've upgraded to FF 38.0.

 

HitmanPro.Alert 3.0 has _NO_ problem with TeslaCrypt. The encryption is blocked without loss of any data.

For example, this latest variant: http://www.bleepingcomputer.com/for...version-released-that-uses-the-exx-extension/
Sample: https://www.virustotal.com/en/file/...3ae3f09229de55c8913b66da/analysis/1431445133/

Even before Alert's CryptoGuard is triggered, the Process Protection mitigation from Alert intercepts the threat:



When the user would disable Process Protection mitigation, CryptoGuard will intercept the attack:



It is important to point out that the malware may be allowed to run on the machine but the data is always safe. HitmanPro.Alert is malware-agnostic and simply stops malicious operations. This approach stops way more crypto-ransomware attacks than what anti-malware or anti-virus solutions can offer.

If the user had Alert v2 from last year than yes, the documents on the machine will get encrypted by TeslaCrypt without intervention by Alert.
For solid protection against crypto-ransomware users need HitmanPro.Alert 3.0.

 

Kyle124, the OP in the Malwarebytes thread, wrote "I am using latest version 3 with updated build to latest version so thats not the problem and everything is enabled."

 

FF38 = NO encrypting ~~ Flash 17.0.0.188 okay

Thanks

 

Maybe his License was expired or he forgot to activate his purchase. I just checked the CryptoGuard protection against TeslaCrypt and it's working fine.

 

I wonder what he did wrong then, perhaps a configuration error? I also noticed that CryptoMonitor could stop it, at least according to BleepingComputer. Does it work differently? And BTW, when you have the time, perhaps you can respond to my PM.

 

No problems with Adobe reader 11.0.11 (W7 64 bits/build 187).

 

I hadn't thought of that.
I wonder if Kyle124 thought of that.
Although, he did write "everything is enabled."
Anyhow, I think it would be much better if Kyle124 would contact SurfRight, or post in this thread, instead of posting at Malwarebytes forums.

 

Thanks for pointing out that Kyle124 was using the latest verion of HMPA - I missed that. Still, we don't for sure what happened. Was HMPA installed correctly and fully enabled? He says MBAM detected the malware but he doesn't know the name. His data was encrypted, but he doesn't remember for certain what file extension the ransomware appended to his data files. Then he reset the OS so there's no way to go back and look at what happened.

 

Hi markloman,

I sent a PM to erik on BleepingComputer to tell him about this thread when it got posted, but he didn't read it yet (and he's been MIA for a few weeks now, maybe on vacation or else). Kyle124 posted a malwr.com link to the sample that infected him, and there's a download link for it. The malware is the newest variant of Tesla Crypt, which encrypts the files with a .exx extension, not .ecc, and not .ezz (Alpha Crypt). Is it possible that CryptoGuard is just not equipped to block this variant yet? If you want the malwr.com link to download and test the sample against CryptoGuard, let me know and I'll send you it via PM.

 

I also tested the sample that Kyle124 posted - I got it from malwr.com.
CryptoGuard inside HitmanPro.Alert 3 has no problem intercepting it:



@erikloman is on a well deserved R&R. He'll be back next week.

 

I am having trouble getting WinCrashReport to display and information at all. I downloaded the 32-bit version since the program is 32-bit (although I have a 64-bit OS). No dumps, errors, or anything show up, and I cou;dn't find a way to make a path file.

In the meantime: I hope we are protected from this:

https://isc.sans.edu/forums/diary/Angler exploit kit pushes new variant of ransomware/19681/

 

Well that didn't last long. Keystroke Encryption has stopped working in FF once again.

 

I can't find the message in this thread at the moment, but someone said they isolated the Keystroke Encryption issue to a conflict with Norton Security.

 

OK - not so simple then. Thanks!

 

Thank you for the update mark. And that's what I thought as well, I doubt erik would leave the CryptoGuard thread on BleepingComputer unattended without assigning someone else to take over it or else.

 

No problems with Sandboxie beta 4.17.5 (W7 64 bits/build 187).