HitmanPro.ALERT Support and Discussion Thread

Have been testing ctp4 and only problem found is that with active vaccination enabled I cannot run my 3rd party file manager (xplorer²); it just closes immediately. Works OK if set to passive. Win 8.1 x64 and 64-bit version of xplorer².

 

Odd, I tried protecting it as well but did not help, might be 8.1 specific. I'll wait for the next version and try it out again.

 

Try installing xplorer2 in C:\Program Files\. That will work.

 

I currently have a portable install outside of C:\Program Files so that will be the problem then. Is this going to be a potential issue with any portable app, even when it goes GA? Thanks

 

Depends. If you put the portable app in "C:\Program Files\" it should work. If not, could you share the portable version of xplorer2 that is not working? I'd like to take a look at it. Could be that the portable app doesn't like to be debugged by HMPA.

 

I'll test this out when I get a chance to re-install. The portable version is no different to the install version, I just unzip the setup file (that can be downloaded from zabkat.com) rather than install it. If it is a problem I can just as easily install correctly so don't worry, Peter2150 said above that it works fine for him.

 

Anybody got dchanger working with active vaccination?

 

Is there a list available of all of the EventIDs that HitmanPro.Alert would put in the Event Log and what each of those correspond to?
I read somewhere that events would be put into the log with ID 301 but I see an event 300 and I'm wondering what all of them mean.

 

Yes good point, but I wouldn't be surprised if compatibility between MBAE/HMPA/EMET will always be a problem (no matter who is causing it) because they all use advanced exploit mitigations.

But anyway, HMPA does offer more bang for the bucks, when it comes to features (+ cloud AV), the question is also who performs the best when it comes to blocking exploits.

 

Got a CryptoGuard FP during an installation of a game on Steam. XCOM: Enemy Unknown. What's worse is I can't try and reinstall the game for whatever reason. Here is the message:

 

I think it was CTP3 I was testing.

 

Did they ever add a scroll bar to the settings? I was not able to access half the settings on my laptop since I do not have a scroll wheel on my Laptop. Also could someone point me to the link for CTP4?

 

I just found CTP4 build 92. Is this the latest build?

 

Hi Cutting_Edgetech

Yes that the latest Beta released build.

Take Care
TheQuest

 

Thank you!

 

Got the alert again while playing the game this time (I had disabled CryptoGuard to allow the game to install). Don't know why readme files are triggering CryptoGuard.

 

Is this going to be a pre-req (installling apps to C:\Program Files\) to have HMPA work correctly?

I hope not.

 

Active Vaccination by HitmanPro.Alert offers rather powerful protection. Because nowadays, nearly 90% of modern malware employs anti-reverse-engineering (Anti-RE) techniques to prevent detection:


Typically, the more complex the Anti-RE techniques implemented, the longer it will take for a malware analyst to properly analyze a piece of malware and determine how to combat it. By refusing to run inside a malware analyst’s automated sandbox or honeypot, modern malware will effectively complicate the development and publication of virus signatures, as malware analysts need to manually analyze these samples.

There are 4 categories and Active Vaccination addresses two of them, as they are technically possible to thwart without marking legitimate software as a threat:


Active Vaccination by HMPA causes the malware to simply self-terminate as it wants to conceal its hostile intentions - the malware will not cause any harm to your computer or data. Next to its many memory and code mitigations, this is another unique way how HMPA stops the majority of attacks and malware without using virus signatures.

So if legitimate software refuses to run, it's the software's choice. If you have legitimate programs that refuse to run, simply install them in the location the software vendor intended it to be installed in, or disable Active Vaccination.

 

According to this article http://www.pcworld.com/article/2464580/malware-is-less-concerned-about-virtual-machines.html only 18% of the malware does not load when it detects a VM.

Your graph shows 81.4% The reverse is awfully close to the over 18% mentioned in PCworld article. How do I have to read the graph?

When 81.4 would be realistic HMPA should have scored higher in the (faulted) PCL test. What is the source of this 81.4%?

 

We've stopped making our point about the PCSL test but apparently it's still not obviously clear that the test was a marketing stunt by the company that paid for it. Even though PCSL updated the test results stating that our product was not out of development, the unedited document is of course for download on the website of the company who paid for it.

But let's make clear again what a Community Technology Preview (CTP) is. A CTP is called a CTP because the software is not finished, a prototype still under development. To date we have released 4 previews and with each preview we fix bugs and introduce new features and functionality, requesting input from the community regarding compatibility, user-friendliness, functionality, etc.
We keep our preview builds close, we do not offer it to the general public from our website. This prevents non-tech-savvy people from running into problems that they cannot fix themselves, simply because the software is not finished, not feature complete and not fully tested. Hence the reason that we state: "This preview is NOT to be used in production environments". For CTP3, after PCSL reviewed our CTP2, we added a "not for review" phrase to the user interface even though we think that was already obvious.

If you follow the development of HMPA and read the release notes you can see that with CTP3 and CTP4 we introduced e.g. Java Network Lockdown and general Application Lockdown. Since half of the PCSL-test involved Java exploits, this affected our CTP2 prototype software. We were still working on network lockdown which wasn't ready for CTP2 so it was pushed back for CTP3.
If you look closely to the test data you'd see that the paying customer provided a special non-public future build for the PCSL test, which had special Java features that wasn't in the (at that time) public final product everyone was running for months. You could say the test parameters were pre-arranged in a particular direction. If PCSL would e.g. have tested the general available version, the product from the paying customer would have failed many Java tests as well (we redid all the tests, we know).
In addition to that, no one has noticed that there was no false positive test conducted. It was conducted using only Internet Explorer as browser and, what'd you know, most of the tests involved Java ActiveX components, an IE-only feature. If a product would simply block all Java ActiveX applications to run, making legitimate use impossible as well, is that good or bad? Sure looks good in exploit tests. Also note that EMET 4.1 was tested instead of EMET 5.0, which has ASR which helps mitigate Java attacks. But since Microsoft officially ended support of Windows XP last April, it's no longer included in the list of supported Windows versions for EMET, even though it works fine if the user installs .NET.

If you follow the development of HMPA you can read (in the release notes) that we introduced Active Virtual Machine Simulation (Anti-VM) with CTP4. Since PCSL has been doing tests with our CTP2 in a Virtual Machine, the used payloads were obviously not (made) VM-aware.
In addition to that, our unique hardware-assisted control-flow integrity (to stop ROP attacks) was put out-of-operation simply because the tests were done in Virtual Machine. A Virtual Machine is not a reflection of the real-world, where 99% of all machines are not virtual. Our CFI technology requires a real machine as it programs the processor hardware for branch-analysis and this is technically not possible from within a virtual machine (as mentioned in our Exploit Test Tool Manual). This caused our software to fall back on stack-based analyses and development of this part was at the time of the test, in CTP2, still under development.
Just so you know why it's still not ready for review, between CTP4 and the upcoming Release Candidate we have fixed bugs and improved many features, including Network Lockdown, Application Lockdown and Active Virtual Machine Simulation.

The following Blackhat paper, covering millions of samples, underlies the mentioned statistic regarding anti-reverse-engineering: https://www.wilderssecurity.com/threads/prevalent-characteristics-in-modern-malware-slides.366998/

 

I think you're mixing up two things. "Active Vaccination" does not have anything to do with blocking exploits. And what Mark Loman probably means with the graphics, is that if malware employs Anti-RE techniques, 80% of them use the Anti-VM method.

 

Correct, HMPA does a whole lot more than just anti-exploit. This recent Threatpost is perhaps interesting as well: http://threatpost.com/recognizing-evasive-behaviors-seen-as-key-to-detecting-advanced-malware/108888

BTW, some exploit kits try to stay away from virtual machines as well: http://malware.dontneedcoffee.com/2014/09/astrum-ek.html