HitmanPro.ALERT Support and Discussion Thread

Any news? I´m starting to worry, what´s taking so long, are there any problems?

 

We still have over a month until Q2 ends.

 

That´s true, but I wonder why it´s taking so long, a bit more info would be nice.

I would like to know if they are still perfecting (developing) the app, or is it´s mostly because of compatibility problems?

 

We are finishing up. We are mainly caught up in a lot of testing. It all took quite a while but I promise it is worth the wait

Meanwhile, here is a recent screenshot of Alert 3 catching crypto-ransomware CryptoWall which is encrypting files from svchost.exe via code injection:
https://twitter.com/erikloman/status/471721615274033153
(Note: Alert version 2.6 catches CryptoWall as well).

 

Can't wait for version 3

 

I know this is probably a stupid question, but do I need HitmanPro installed on my system, when HitmanPro.Alert alerts me about something, or will HitmanPro.Alert do the blocking?

I ask, because I noticed a "Scan with HitmanPro" button.

It just gives me that feeling that I need it, to complete the process if it finds something.

 

HitmanPro.Alert will only make you immune to certain threats. You might still download a virus and by mistake install it. Then you need HitmanPro. Also, when a threat is detected in HPA, you will need HitmanPro to get rid of the threat.

HitmanPro.Alert will be included in the license when you buy HitmanPro so no extra costs.

 

If HitmanPro.Alert detects a security threat that needs to be removed, and HitmanPro is not installed on the system, the user is offered to automatically download HitmanPro and scan the computer.
See:
http://www.surfright.nl/en/alert

and:
http://www.surfright.nl/en/cryptoguard

So when you use HitmanPro.Alert, there is no absolute need to have HitmanPro installed. It can be automatically downloaded if needed.

P.S.
I notice that your signature text says "HitmanPro Scheduled Scans",
so I guess you have HitmanPro on your system already?

 

Thanks for the info, I can´t wait to test it.

Btw, I´ve been reading again, and can you perhaps explain how SSL loggers work? Do they need to inject code into the browser?

Apparently Zemana and Trusteer can both stop them, I´m not sure if they require user interaction in order to stop these trojans though. I´m saying that because I know that´s one of your criteria before adding a protection feature to HitmanPro.Alert.

http://www.zemana.com/product/antilogger/modules/anti-ssllogger.aspx
http://www.zemana.com/LeakTest/ssllogger-test.aspx

 

SSL loggers work via code injection. They hook into SSL APIs to get the plain text (= after decryption / before encryption). Alert detects these API hooks and warns the user.

Unlike Trusteer, Alert does not block the hook attempts made by SSL loggers (malware). The computer is infected, thus the computer has more problems than just those hooks.
For example, the Zeus banking trojan is known to reel in additional malware like ransomware. Trusteer does not block these additional payloads.

So basically, Alert does not pick a fight with the hooking attempts, it just warns. It then reels in its big brother HitmanPro to eradicate the potential system wide infection.

Hope this helps.

 

@ erikloman,

Thanks for the info.

But actually, I meant to ask something else. I´ve seen a video about Trusteer blocking the SSL-logger demo tool from Zemana. I wonder how they do that? I suppose they simply block the code injection (without any alerts) from the demo tool? Why wouldn´t HitmanPro.Alert be able to do the same, without causing any problems?

http://www.youtube.com/watch?v=wh-3-KRPafg

 

Hi Erik after installing the latest version also i am having issue with sandboxie and HMPAlert.. The issue seems to be typical.. when i start my system and try to run sandboxed Firefox for the first time it doesnt open, i can see HMPAlert flyout but Firefox doesnt start and when i check taskmanager i can see the firefox process ......... then i have to delete the contents of the sandbox and then run firefox again it works this time flyout comes and sandboxed firefox opens... please take a look into this issue
OS version Windows 8.1 update 64bit

 

Afaik they are on alerting instead of blocking so it can be compatible with all other security software. If you want to block everything like Trusteer, you'll probably get tons of compatibility problems which can't all be fixed. And it is also more resource incentive. BTW, only blocking it without any alerts is not good IMO, the user still has malicious software on their computer which can do all kind of things, so the user needs to be informed to remove it.

 

Yes I understand this, but I´m still trying to figure things out. For example, if banking trojans (SSL loggers) can be stopped by blocking code injection into the browser, what´s so special about tools like Zemana, SpyShelter and Trusteer? All HIPS can do this. But is it perhaps because of the fact that they can protect an already infected system? That is what I don´t get.

And I wonder why Zemana refuses to offer the SSL-logging test to everyone, if it´s simply about injecting code into the browser, there´s nothing special about it. Also, how common is it for legitimate tools to inject code into the browser? On my Win XP system, I got 5 non-Microsoft dll files (not related to the browser) that are loaded into browser memory. So I really don´t see how blocking code injection would cause major problems on home user PC´s.

 

Could you perhaps test the Zemana SSL logging tool againts HitmanPro.Alert? I suppose that as soon as the tool is activated, HMP.A should alert about the browser being compromised, all in real time?

 

Yes, HIPS can do that, but they're not for the average users. There are also differences in granularity between HIPS; for example if process X wants to inject code into another process, some HIPS show the target process, others do not. If you click allow, some HIPS allow code injection in general, some HIPS allow code injection only to that target process. Tools like HMP.Alert, Trusteer etc. can protect casual users as well.

The Zemana case is strange indeed, their reasoning was something like it's used by dangerous malware and is a relatively new technique in financial malware. A lot of time has passed since then but the test is still not available publicly.

It is quite common for legitimate software to do code injection into other processes, including the browser AFAIK. Possible examples include Anti-virus software's HTTP/URL scanner, password managers, software like evernote, logitech setpoint(not sure), EMET as well. (Software like Trusteer usually include a whitelist of these to avoid problems.)

I'm not saying blocking code injection causes major problems, but it probably would cause a lot of compatibility problems with other security software. This happens to Trusteer as well, they fixed a lot of them, but they're still not compatible with some products.

 

Does this software work as an SSL logger? If so it can be used as a test tool.

http://sourceforge.net/projects/revelationv20/

 

I just bought a 3yr/3pc license, mostly because I want to support the effort of HitmanPro.Alert (and love HitmanPro). Any idea when the 3.0 beta will start?

 

Before the end of this month

 

No it doesn´t.

 

Thanks for the feedback.

Yes it´s so weird, because Zemana has a separate HIPS module and a special anti-SSL logger option. Shouldn´t the HIPS already block code injection anyway? So there must be more to it, perhaps tools like Zemana and Trusteer can protect even if your browser is already infected. And perhaps they are watching for specific browser memory modifications, so they will allow "normal" code injection but block (or repair) the malicious ones.

 

Cool. I do have another question, what do you think about G Data BankGuard? I´ve read that it not only alerts about browser memory being hijacked (like HitmanPro.Alert) but it can even instantly replace (or repair) the infected browser modules. Would it be possible to add this feature to HitmanPro.Alert, or would this cause any problems?

 

I triggered an alert when encrypting a folder containing five files using AxCrypt. Three of the files managed to get encrypted.

 

The latest version does not work with Bitdefender antivirus plus.It alerts there is a risk with Firefox and Chrome.With Kaspersky it was ok but i just removed Kaspersky and installed Bitdefender and had problems

 

What version of Windows and what is your version of Bitdefender (AV, IS or TotalSecurity)?