HitmanPro.ALERT Support and Discussion Thread

Then maybe the processor is not supported. Check out page 7, paragraph 2.5 Hardware-assisted Control-Flow Integrity, for instructions on how to see if your processor is supported. This exploit technique cannot be blocked if you do not have a supported processor.

 

Bingo! That would be the problem with ROP - VirtualProtect via CALL gadget test. This machine has an i3 330M processor.

 

Hi Mark.
Interesting to note:

http://bromiumlabs.files.wordpress.com/2014/02/bypassing-emet-4-1.pdf

-page 18-

It 'possible that BROMIUM Labs performs a test with 3 Anti-Exploit (MABE,EMET,HPA3)?

 

@ Sampei Nihira

What Bromium was trying to say is that their solution is the only one that can protect against "kernel exploits" while all other security tools can´t. So that is a whole other discussion.

 

Thanks for the explanation, so if I understood correctly HMP.A also offers this "third layer" of protection, which is not the most important thing, because exploit mitigations should already do the job, but is still nice to have. All in all, it really seems that HMP.A is sort of like EMET "on steroids", quite impressive.

 

Yes, but as you can see is called into question as well as EMET also MBAE.

 

Yes I know, but it´s just promotional stuff, tools like EMET are very popular, so no surprise. Don´t forget that 100% security isn´t possible anyway, it´s all about "good enough" protection.

 

Paragraph 3.7 on page 9 of our Exploit Test Tool Manual 1.0 is about this Bromium paper

 

Is it wise to add protection for an email client (like eM Client) and if so what template do we use?

 

I would suggest adding eM Client to the Office category as HitmanPro.Alert 3 puts most productivity applications here-under (like Word and PDF).

 

Hi Mark. I just had a tech tell me that a slow running file server suspected of a memory leak has had HitmanPro.Alert 2.6 removed for performance testing. He feels that it may be a factor although unproven at this point. Any comments?

 

Thanks! We haven't heard of this before but we'll investigate.
Just for reference and if possible, could you ask your tech what version of Windows is on that server?

 

FireEye and Fox-IT have partnered to provide free keys designed to unlock systems infected by CryptoLocker: https://www.decryptcryptolocker.com/
Intelligence report: http://blog.fox-it.com/2014/08/06/cryptolocker-ransomware-intelligence-report/
Press: FireEye and Fox-IT Announce New Service to Help CryptoLocker Victims

SurfRight assisted Fox-IT by providing data encrypted by CryptoLocker, as mentioned in the intelligence report. And in case you just found this thread, HitmanPro.Alert offers protection against CryptoLocker and its variants, like the current CryptoWall. A demonstration video: https://www.youtube.com/watch?v=5M8YYnXIAlw

 

Hi Mark.
He says 2K8 non SBS for the server O/S. Many thanks.

 

HmP.Alert 3 CTP2 and Sandboxie:

XP 32 bits: Sandboxie works (just tested).
Vista 32 bits: Sandboxie doesnt work.
Windows 7 64 bits: Sandboxie works.

Using Norton Internet Security 21.5.0.19 (XP, Vista and Windows 7).

 

I thought I had posted it with a picture to show, can't find it anymore.

I noticed something strange with V3, dll was injected but no green border shown when using Chromium.

Trusteer does not support Chromium (it does support Chrome), because they consider it beta (can't be reliable tested, due to overnight chromium builds).

Should chromium also show a green border with HMPA 3 or is not supported?

 

I have finally installed HMPA v3, nifty GUI I must say.

And I now see what you mean with "process execution control" and "exploit templates" (pic 2 and 3). But what does "deny new process" is supposed to do? If I launch my PDF reader via Opera, it still launches?

About the "system security" options, it would be nice if you could quickly enable/disable them when you click on the orange button, see pic 1. Now you have to click on them one by one.

 

By the way, now that I think of it, Neoava Guard was one of the first HIPS that tried to offer "damage control". But the "rapidly overwrite files" filter was not good enough to actually stop apps from modifying files. It could not stop "file infecting" trojans, I tested it myself.

http://s14.postimg.org/h866f9jlt/NG_Sonar.png

 

Any news on this, did you get a copy of the Zemana testing tool?

I would like to know how it works, does it simpy tries to inject code into the browser?

 

"Deny New Process" was explained in this post https://www.wilderssecurity.com/thre...discussion-thread.324841/page-82#post-2397342 where I answered the 'third layer' question. It filters processes that are spawned from the protected application. For many applications it is off by default, but it is e.g. enabled for Java.

The System Security options are deliberately like this since some of the listed features have more switches than just Enabled or Disabled. Like System Vaccination (Active, Passive, Disabled) and CryptoGuard (Enabled, Disabled and a checkbox for Windows File Sharing (SMB) to protect shared folders).

 

Chromium is Google's open-source browser developer project on which Google Chrome is built. I don't think that Chromium is really meant to be used as regular browser since Google encourages users to use Google Chrome or the other browsers based on Chromium (like Comodo Dragon, SRWare Iron, etc.)
But since Chromium is not registering itself as a browser, the Software Radar in HitmanPro.Alert 3 will not automatically apply its Safe Browsing and Exploit Mitigations to it. You can easily do this yourself though:

1. Open Chromium
2. Open HitmanPro.Alert
3. Click on Exploit Mitigations
4. Select Running Applications
5. Select Chromium
6. Select Browser
7. Click on the Restart Chromium button

Chromium is now added to both Safe Browsing and Exploit Mitigations. HMPA will now also draw the green halo around Chromium.
HitmanPro.Alert supports ALL browsers and applications with a graphical user interface. You can add them yourself.

 

OK I see, so if I understand correctly, if a new process is spawned in a normal way, then HMPA won´t alert about it because of the "browser template". I´ve been running HMPA so far without any problems, but I haven´t enabled all options, I have turned on "Safe browsing", "Exploit mitigations" and "Keystroke Encryption". It doesn´t seem to cause any strange problems like v2 did.

 

I found two bugs with the latest version:

- The exploit mitigation blocks silverlight plugin on magine.com (popular TV-Streaming site) using Google Chrome.
- When pressing the Windows-Key and typing immediately to search, causes first few inputs to be encrypted in the search bar.

Windows 8.1 64bit

 

Thanks for reporting. Regarding the encrypted keystrokes, we're currently ironing out the mentioned issue which has indeed to do with 'special' keys like the Windows-key.
Regarding the alert on magine . com, is it possible that you could gather some more information for us? I've signed up at magine.com but they are currently unavailable (could be that The Netherlands is not supported). Could you send us a screenshot of the alert that appears? Or copy and paste the contents of the alert?
Thanks again!

 

By the way, I forgot to mention that it seems to work just fine with Sandboxie, SBIE is still able to sandbox apps. Of course HMPA can´t protect sandboxed apps, but that was expected. Also, about keystrokes encryption, isn´t it supposed to be system wide? I´ve tested it with the AKLT tool, and it did protect the browser, but ignores other apps.

http://www.snapfiles.com/get/antikeyloggertester.html