HitmanPro.ALERT Support and Discussion Thread

That is not a crash, it is called an alert

The mpeg2 decoder is actually performing a ROP. Expect a fix in CTP3.

 

Can you give some more details about the "different" technique that this malware is using? Because you would think that CryptoGuard is designed to stop even unknown malware? And I don´t mean this in a negative way, to clarify.

 

Actually, I meant my firefox crashed before the alert was shown. Disabled ROP until CTP3, will it be released anytime soon?

 

What is the eta for the final version of HMP.A 3.0?

 

The startup of Opera is slowed down considerably on the computer of my kids with a conventional HDD. Any way to troubleshoot this issue?

 

Hi,

it seems there is a false positive with "Avira System Speedup"

https://forum.avira.com/wbb/index.php?page=Thread&postID=1295222#post1295222

 

It seems Avira System Speedup is overwriting files, changing over 90% of its contents which triggers Alert's CryptoGuard.
You might want to disable 'Wipe the junk files 5 times before deleting' in Avira System Cleanup (View > Program Settings).
Alternatively you can disable CryptoGuard in HitmanPro.Alert but then your data is no longer protected against CryptoLocker or CryptoWall.

 

CrytpoGuard creates a copy of each document when it's opened. When the file is written back to the disk CryptoGuard examines the contents of the written file and compares it to the original copy. When the contents are completely different it keeps track of the application that changed the contents. When this application is altering the complete contents of more documents, CryptoGuard steps in, halts the perpetrating application and restores the attacked files using the original backup copies.
This particular malware in the video is performing a different read/write approach. It is changing parts of the contents in multiple passes until its completely altered. We're adding support for this method in a coming update.

 

Could that be implemented in an update for the current HMP.A 2.6.5, also,
instead of only in the HMP.A 3 beta and the later HMP.A 3 final?

Implementing a way to stop that new variant crypto-malware in the HMP.A 3 beta and the later HMP.A 3 final is good, but also implementing it in the current HMP.A 2.6.5, that would be wonderful.

 

Britec09 has a new video. https://www.youtube.com/watch?v=YMssqUaIvBY&list=UU_M-iWYpQbgo4rK1YfewI5w

 

"So that was HitmanPro.Alert in action, and as you can see it did a pretty good job at blocking a fresh copy of Cryptolocker."

 

Today Microsoft has announced the general availability of EMET 5.0. While HitmanPro.Alert 3 CTP1 and CTP2 were compatible with the EMET 5.0 Technical Preview, the updated EAF mitigation in EMET 5.0 GA can prevent programs from opening when both EMET 5.0 and HitmanPro.Alert 3 CTP2 are on the same computer. We're investigating and addressing it in CTP3. In the meantime you could either use EMET 4.1 U1 instead of EMET 5.0 GA, remove HItmanPro.Alert 3 or disable the EAF mitigation in EMET 5.0 GA.

Feel free to test the anti-exploit capabilities of EMET 5.0 using our Exploit Test Tool, available in the HitmanPro.Alert 3 CTP2 download. Before testing, don't forget to add our applications hmpalert-test.exe and hmpalert64-test.exe to EMET to apply the protection.

 

And for those still using HMP.A 2.6.5.77,
are HMP.A 2.6.5.77 and EMET 5.0 Final compatible?

 

Since HitmanPro.Alert 2 does not include any exploit mitigation technologies, there are no incompatibilities expected with any version of EMET, including EMET 5.0 GA.
To verify, I've briefly tested Alert 2 with the latest EMET 5 and could not find any issues.

 

OK, thanks very much.
I'll try it myself, later on.

 

Does that mean I have to disable CryptoGuard to manually erase files?

 

No. You can erase files with Avira System Speedup, just don't first overwrite the contents of the file before deleting the files as it will trigger CryptoGuard.

 

I don't mean using Avira System Speedup specifically, but what is erasing files without overwriting the contents? You mean simply deleting them? So if I shred any file, CryptoGuard will be triggered?

 

No you have to do a whole lotta files together, like ransomware would.

 

You can perform the exact same test that Malware Don't Need Coffee / Kafeine did yourself since each exploit kit attack was recorded with Fiddler. This means you can replay them and perform the same tests that Kafeine did against any anti-exploit tool. You can download the Fiddler traces here: http://files.dontneedcoffee.com/public.php?service=files&t=2f1501e77a24189f0a2500d6ea780a49

If you read the review by Kafeine you will see that many of the CVE attacks did not fire at all (which makes this datasheet interesting), so in these cases effectiveness could not be verified; there was no threat to block. So pay attention to Kafeine's review to determine which CVE attack (in the Fiddler trace) works and which one does not; meaning that some exploits might not work and therefore the exploit mitigations or anti-exploit techniques are not triggered either.

Spoiler: HitmanPro.Alert 3 blocks all working attacks in the Fiddler traces that Kafeine provided.

Skilled and interested professionals can also replay the latest .pcap files using Fiddler as well. Just go to Fiddler > File > Import Sessions > Packet Capture and add the traffic to Fiddler's AutoResponder. Brad and his excellent Malware Traffic Analysis repository offers one or two daily fresh .pcap files for you to test but keep in mind that the machine you test on deliberately needs the specific outdated vulnerable applications that the attackers are targeting, or the exploit will not work - consequently, the exploit mitigations will not trigger either.
And I must warn you that this testing is not for everyone. Only very experienced people that regularly work with test environments and are familiar with vulnerabilities, exploits, malware and its delivery, are able to perform and understand if an exploit is triggered or not. We do these tests very often but if someone here is able to exploit a machine on which Alert 3 is not triggering, we'd like to know very much.

 

What would be the point of continuing to use a 2.X version of HMP.Alert after v3 is final?

 

Of course, but I think it could take a while until there is a stable HMP.A 3 final.
HMP.A 2 and HMP.A 2.5/6 have been beta for quite some time before finally they were considered and released as stable.
That is why I think it would be a good idea to implement a way to stop the new variant crypto-malware in HMP.A 2.6.5 also, for the time that HMP.A 3 is still beta.

 

Well that makes sense, but if they change the crypto-malware protection code in v2 will that make it beta again? I know, my bad , but I understand what you're asking for.

 

I don't know.
I can imagine it would be a relatively much smaller adjustment than the v2 to v3 changes.
I could imagine SurfRight can be so smart that making such an adjustment in v2 wouldn't make it beta for long, much shorter than I expect v3 to be in beta stage.

 

Have you tried to test EMET?